Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component
The vulnerability exists in the component app/Http/Controllers/Api/UploadedFilesController.php, responsible for handling files uploaded via API. Improper permissions (CWE-284) allow an attacker to upload and execute a malicious file without needing permissions or authentication. Over the network, without any additional conditions, an attacker can deliver a payload leading to code execution (RCE) on the server.
An attacker can execute arbitrary code on the vulnerable server, leading to complete system compromise, data breach, and violation of confidentiality, integrity, and availability of the application and its data.
Snipe-IT should be updated to a version containing commit 676a9958 (published 2026-03-10) or later. Detailed information is available in the official security advisory on GitHub: https://github.com/grokability/snipe-it/security/advisories/GHSA-xg82-2hrv-hf64
Snipeitapp Snipe-IT version 8.4.0 and earlier (vulnerability fixed after commit 676a9958 from 2026-03-10)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSnipeitapp Snipe It
APPSnipeitapp< 8.4.1
Related vulnerabilities
RCE w Snipe-IT via złośliwy plik backup (CVE-2025-63601)
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-adm...
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit...
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insu...
Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious...