Description
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1.
Published: 2026-05-26
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Snipe‑IT allows users with component view access to create or edit a component’s notes. The notes field is concatenated into the page without escaping, which enables an attacker to embed HTML or JavaScript. When a victim views the component, the injected script runs in their browser, potentially compromising credential confidentiality and session integrity. The vulnerability is classified as a classic reflected XSS, mapping to CWE‑79.

Affected Systems

The vulnerability affects the Snipe‑IT system developed by Grokability. All installations running any version prior to 8.4.1 are impacted; version 8.4.1 onward mitigates the flaw.

Risk and Exploitability

The CVSS score for this issue is 4.8, indicating a moderate threat. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an authenticated user who can edit component notes; exploitation requires valid component view rights and the ability to supply arbitrary content to the notes field. Once injected, the payload executes in the victim’s browser context.

Generated by OpenCVE AI on May 26, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Snipe‑IT to version 8.4.1 or later, which sanitizes component notes.
  • If an upgrade is not immediately possible, disable HTML rendering for the notes field or enforce server‑side sanitization, ensuring that any script tags or event handlers are stripped before rendering.
  • Verify that users with component view permissions cannot enter malicious content into notes fields and monitor web application logs for XSS-related activity.

Generated by OpenCVE AI on May 26, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r42m-953q-6vjx Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)
History

Tue, 26 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Grokability
Grokability snipe-it
Snipeitapp
Snipeitapp snipe-it
CPEs cpe:2.3:a:snipeitapp:snipe-it:*:*:*:*:*:*:*:*
Vendors & Products Grokability
Grokability snipe-it
Snipeitapp
Snipeitapp snipe-it

Tue, 26 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1.
Title Snipe-IT: XSS vulnerability in component notes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Grokability Snipe-it
Snipeitapp Snipe-it
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T19:27:16.856Z

Reserved: 2026-05-07T21:21:48.351Z

Link: CVE-2026-44831

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T20:16:20.027

Modified: 2026-05-26T20:39:22.000

Link: CVE-2026-44831

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:30:15Z

Weaknesses