Primary

Context

Snipe-IT Persistent Cross-Site Scripting Vulnerability

Vulnerability

Patched

A persistent cross-site scripting vulnerability has been identified in Snipe-IT version 4.7.5. This vulnerability allows authorized users to upload malicious SVG files containing embedded JavaScript. When these crafted SVG files are viewed by other users, the embedded JavaScript is executed, potentially leading to unauthorized actions or data exposure.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where uploaded SVG files execute JavaScript when accessed by users.

Reproduction

To reproduce this vulnerability, upload a crafted SVG file containing JavaScript payloads through the accessories section. Once the file is uploaded, access the location of the uploaded SVG file in a browser, which will trigger the execution of the JavaScript payload, such as displaying an alert box.

Added: Feb 3, 2026, 7:10 PM

Updated: Feb 3, 2026, 7:10 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.7

exploitability

5.9

remediation

7.7

relevance

2.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.7

exploitability

5.9

remediation

7.7

relevance

2.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Snipe-IT Persistent Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Snipe-IT

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating