CRITICAL🇵🇱 Wersja polska

CVE-2026-37709

CVSS 9.8v3.1pub. 2026-05-07upd. 2026-05-12

Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component

🤖 AI Analysis
How it works

The vulnerability exists in the component app/Http/Controllers/Api/UploadedFilesController.php, responsible for handling files uploaded via API. Improper permissions (CWE-284) allow an attacker to upload and execute a malicious file without needing permissions or authentication. Over the network, without any additional conditions, an attacker can deliver a payload leading to code execution (RCE) on the server.

Impact

An attacker can execute arbitrary code on the vulnerable server, leading to complete system compromise, data breach, and violation of confidentiality, integrity, and availability of the application and its data.

Mitigation & patch

Snipe-IT should be updated to a version containing commit 676a9958 (published 2026-03-10) or later. Detailed information is available in the official security advisory on GitHub: https://github.com/grokability/snipe-it/security/advisories/GHSA-xg82-2hrv-hf64

Who is affected

Snipeitapp Snipe-IT version 8.4.0 and earlier (vulnerability fixed after commit 676a9958 from 2026-03-10)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Snipeitapp Snipe It

    APP
    Snipeitapp
    < 8.4.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-63601CRITICAL9.9PL ✓ten sam produkt

RCE w Snipe-IT via złośliwy plik backup (CVE-2025-63601)

CVE-2026-48507HIGH7.1ten sam produkt

Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-adm...

CVE-2026-44832HIGH8.7ten sam produkt

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit...

CVE-2025-15602HIGH8.7ten sam produkt

Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insu...

CVE-2024-51093HIGH8.7ten sam produkt

Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious...