Description
Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The JavaScript code is executed whenever "Activity Report" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's "Display Name" is not set. The vulnerability is fixed in v8.3.2.
Published: 2026-04-13
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

Authenticated users with the lowest privilege level can insert arbitrary JavaScript into the Name and Surname fields of user profiles in Snipe‑IT v8.3.0–8.3.1 when the profile’s Display Name field is left blank. When another user views the Activity Report or the modified profile, the injected code runs in that user’s browser session. The description implies this could allow client‑side attacks such as credential theft or phishing, but these specific outcomes are inferred from typical XSS effects.

Affected Systems

Affected software is the Snipe‑IT web‑based asset‑management system, version 8.3.0 through 8.3.1 inclusive. The fix is available in version 8.3.2 and later. No other vendors or product variants are listed in the CNA data.

Risk and Exploitability

The CVSS score of 5.4 represents medium severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not present in the CISA KEV catalog. Exploitation requires an authenticated session and a target profile lacking a Display Name; the attacker must also have permission to view the Activity Report or the modified profile for the malicious script to execute. Because the vulnerability is reachable via the web interface and affects authenticated users, the risk is partly mitigated by user‑level controls but remains for environments where the low‑privilege accounts can edit profiles and view reports.

Generated by OpenCVE AI on April 14, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Snipe‑IT to version 8.3.2 or later to resolve the XSS vulnerability.
  • If an upgrade cannot be performed immediately, set a non‑empty Display Name for all user profiles to prevent the script from executing.
  • Limit the ability of low‑privilege users to view the Activity Report or modify profiles until the patch is applied.
  • Monitor web server logs for attempts to inject JavaScript into the Name and Surname fields.

Generated by OpenCVE AI on April 14, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title Authenticated XSS in Snipe‑IT via Name and Surname Fields

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Grokability
Grokability snipe-it
Vendors & Products Grokability
Grokability snipe-it

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The JavaScript code is executed whenever "Activity Report" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's "Display Name" is not set. The vulnerability is fixed in v8.3.2.
References

Subscriptions

Grokability Snipe-it
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T14:41:41.195Z

Reserved: 2025-10-27T00:00:00.000Z

Link: CVE-2025-63743

cve-icon Vulnrichment

Updated: 2026-04-14T14:41:37.697Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T16:16:24.487

Modified: 2026-04-27T19:18:46.690

Link: CVE-2025-63743

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:45:07Z

Weaknesses