HIGH🇵🇱 Wersja polska

CVE-2026-48507

CVSS 7.1v3.1pub. 2026-06-08upd. 2026-06-09

Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
  • Snipeitapp Snipe It

    APP
    Snipeitapp
    < 8.6.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-37709CRITICAL9.8PL ✓ten sam produkt

RCE w Snipe-IT — Insecure Permissions w API uploadu plików

CVE-2025-63601CRITICAL9.9PL ✓ten sam produkt

RCE w Snipe-IT via złośliwy plik backup (CVE-2025-63601)

CVE-2026-44832HIGH8.7ten sam produkt

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit...

CVE-2025-15602HIGH8.7ten sam produkt

Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insu...

CVE-2024-51093HIGH8.7ten sam produkt

Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious...