Vulnerability-Lookup

CVE-2026-44833 (GCVE-0-2026-44833)

Vulnerability from cvelistv5 – Published: 2026-05-26 19:30 – Updated: 2026-05-27 14:21

Title

Snipe-IT: Open redirect vulnerability

Summary

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1.

Severity

5.9 (Medium)


                        
                          CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/grokability/snipe-it/security/…	x_refsource_CONFIRM
https://github.com/grokability/snipe-it/commit/e3…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
grokability	snipe-it	Affected: < 8.4.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44833",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T14:20:51.410457Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T14:21:12.573Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "snipe-it",
          "vendor": "grokability",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 8.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-26T19:30:48.852Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/grokability/snipe-it/security/advisories/GHSA-mghp-5cq4-v6mg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-mghp-5cq4-v6mg"
        },
        {
          "name": "https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373"
        }
      ],
      "source": {
        "advisory": "GHSA-mghp-5cq4-v6mg",
        "discovery": "UNKNOWN"
      },
      "title": "Snipe-IT: Open redirect vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44833",
    "datePublished": "2026-05-26T19:30:48.852Z",
    "dateReserved": "2026-05-07T21:21:48.352Z",
    "dateUpdated": "2026-05-27T14:21:12.573Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44833",
      "date": "2026-05-27",
      "epss": "0.0001",
      "percentile": "0.01085"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44833\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-26T20:16:20.317\",\"lastModified\":\"2026-05-26T20:38:06.913\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.7,\"impactScore\":3.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:snipeitapp:snipe-it:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.4.1\",\"matchCriteriaId\":\"EB07F5CD-5BCC-4858-8FAD-10A9DBEE5466\"}]}]}],\"references\":[{\"url\":\"https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/grokability/snipe-it/security/advisories/GHSA-mghp-5cq4-v6mg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44833\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-27T14:20:51.410457Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-27T14:20:58.394Z\"}}], \"cna\": {\"title\": \"Snipe-IT: Open redirect vulnerability\", \"source\": {\"advisory\": \"GHSA-mghp-5cq4-v6mg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"grokability\", \"product\": \"snipe-it\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 8.4.1\"}]}], \"references\": [{\"url\": \"https://github.com/grokability/snipe-it/security/advisories/GHSA-mghp-5cq4-v6mg\", \"name\": \"https://github.com/grokability/snipe-it/security/advisories/GHSA-mghp-5cq4-v6mg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373\", \"name\": \"https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-26T19:30:48.852Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44833\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-27T14:21:12.573Z\", \"dateReserved\": \"2026-05-07T21:21:48.352Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-26T19:30:48.852Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44833

Vulnerability from fkie_nvd - Published: 2026-05-26 20:16 - Updated: 2026-05-26 20:38

Severity

5.9 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373	Patch
	security-advisories@github.com	https://github.com/grokability/snipe-it/security/advisories/GHSA-mghp-5cq4-v6mg	Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	snipeitapp	snipe-it	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:snipeitapp:snipe-it:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB07F5CD-5BCC-4858-8FAD-10A9DBEE5466",
              "versionEndExcluding": "8.4.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1."
    }
  ],
  "id": "CVE-2026-44833",
  "lastModified": "2026-05-26T20:38:06.913",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 3.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-05-26T20:16:20.317",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-mghp-5cq4-v6mg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-MGHP-5CQ4-V6MG

Vulnerability from github – Published: 2026-05-08 23:25 – Updated: 2026-05-08 23:25

Summary

Snipe-IT has an open redirect vulnerability

Details

Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable.

Impact

Phishing: Redirect users to fake login pages to steal credentials
Session Hijacking: Redirect to attacker site that captures session cookies via JavaScript
Malware Distribution: Redirect to sites hosting malware or drive-by downloads
Reputation Damage: Users lose trust when redirected to malicious sites from legitimate application
Social Engineering: Use trusted Snipe-IT domain to increase phishing success rate

When the user clicks "Save", the application: 1. Processes the form 2. Checks redirect_option (if set to 'back') 3. Calls Helper::getRedirectOption() 4. Retrieves back_url from session: https://evil.com/phishing?target=snipeit 5. Executes redirect()->to($backUrl) 6. User is redirected to attacker's site

This would still require session poisoning, so the actual practical threat here is minimal.

Patches

Patched in https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373, released in 8.4.1.

Workarounds

None.

Resources

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
OWASP: Unvalidated Redirects and Forwards
Laravel Security: Safe Redirects

snipeit_open_redirect_submission.md

Severity

5.9 (Medium)


                  
                    CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "snipe/snipe-it"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T23:25:37Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable.\n\n### Impact\n\n-   **Phishing**: Redirect users to fake login pages to steal credentials\n-   **Session Hijacking**: Redirect to attacker site that captures session cookies via JavaScript\n-   **Malware Distribution**: Redirect to sites hosting malware or drive-by downloads\n-   **Reputation Damage**: Users lose trust when redirected to malicious sites from legitimate application\n-   **Social Engineering**: Use trusted Snipe-IT domain to increase phishing success rate\n\nWhen the user clicks \"Save\", the application: \n1. Processes the form \n2. Checks `redirect_option` (if set to \u0027back\u0027) \n3. Calls `Helper::getRedirectOption()` \n4. Retrieves `back_url` from session: `https://evil.com/phishing?target=snipeit` \n5. Executes `redirect()-\u003eto($backUrl)` \n6. User is redirected to attacker\u0027s site\n\nThis would still require session poisoning, so the actual practical threat here is minimal. \n\n### Patches\nPatched in https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373, released in 8.4.1.\n\n### Workarounds\n None.\n\n### Resources\n-   CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\n-   OWASP: Unvalidated Redirects and Forwards\n-   Laravel Security: Safe Redirects\n\n[snipeit_open_redirect_submission.md](https://github.com/user-attachments/files/27414869/snipeit_open_redirect_submission.md)",
  "id": "GHSA-mghp-5cq4-v6mg",
  "modified": "2026-05-08T23:25:37Z",
  "published": "2026-05-08T23:25:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-mghp-5cq4-v6mg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grokability/snipe-it"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Snipe-IT has an open redirect vulnerability"
}

WID-SEC-W-2026-1377

Vulnerability from csaf_certbund - Published: 2026-05-05 22:00 - Updated: 2026-05-26 22:00

Summary

Snipe-IT: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Snipe-IT ist eine webbasierte Open-Source-Asset-Management-Software, die Unternehmen bei der Verfolgung von Hardware und Software unterstützt.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Snipe-IT ausnutzen, um Cross-Site-Scripting-Angriffe durchzuführen, Benutzer auf bösartige Websites umzuleiten, Administratorrechte zu erlangen oder beliebigen Code auszuführen.

Betroffene Betriebssysteme: - Sonstiges - UNIX

CVE-2026-44831

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Snipe-IT <8.4.1 Open Source / Snipe-IT		<8.4.1

CVE-2026-44832

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Snipe-IT <8.4.1 Open Source / Snipe-IT		<8.4.1

CVE-2026-44833

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Snipe-IT <8.4.1 Open Source / Snipe-IT		<8.4.1

CVE-2026-37709

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Snipe-IT <8.4.1 Open Source / Snipe-IT		<8.4.1

References

6 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/grokability/snipe-it/security/…	external
https://github.com/grokability/snipe-it/security/…	external
https://github.com/grokability/snipe-it/security/…	external
https://github.com/grokability/snipe-it/security/…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Snipe-IT ist eine webbasierte Open-Source-Asset-Management-Software, die Unternehmen bei der Verfolgung von Hardware und Software unterst\u00fctzt.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Snipe-IT ausnutzen, um Cross-Site-Scripting-Angriffe durchzuf\u00fchren, Benutzer auf b\u00f6sartige Websites umzuleiten, Administratorrechte zu erlangen oder beliebigen Code auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1377 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1377.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1377 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1377"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-r42m-953q-6vjx vom 2026-05-05",
        "url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-r42m-953q-6vjx"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-r42m-953q-6vjx vom 2026-05-05",
        "url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-hq28-crg7-95pr"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-mghp-5cq4-v6mg vom 2026-05-05",
        "url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-mghp-5cq4-v6mg"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-xg82-2hrv-hf64 vom 2026-05-05",
        "url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-xg82-2hrv-hf64"
      }
    ],
    "source_lang": "en-US",
    "title": "Snipe-IT: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-26T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-27T07:05:36.345+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1377",
      "initial_release_date": "2026-05-05T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-05T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-26T22:00:00.000+00:00",
          "number": "2",
          "summary": "CVE-Nummern erg\u00e4nzt"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c8.4.1",
                "product": {
                  "name": "Open Source Snipe-IT \u003c8.4.1",
                  "product_id": "T053597"
                }
              },
              {
                "category": "product_version",
                "name": "8.4.1",
                "product": {
                  "name": "Open Source Snipe-IT 8.4.1",
                  "product_id": "T053597-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:snipeitapp:snipe-it:8.4.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Snipe-IT"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-44831",
      "product_status": {
        "known_affected": [
          "T053597"
        ]
      },
      "release_date": "2026-05-05T22:00:00.000+00:00",
      "title": "CVE-2026-44831"
    },
    {
      "cve": "CVE-2026-44832",
      "product_status": {
        "known_affected": [
          "T053597"
        ]
      },
      "release_date": "2026-05-05T22:00:00.000+00:00",
      "title": "CVE-2026-44832"
    },
    {
      "cve": "CVE-2026-44833",
      "product_status": {
        "known_affected": [
          "T053597"
        ]
      },
      "release_date": "2026-05-05T22:00:00.000+00:00",
      "title": "CVE-2026-44833"
    },
    {
      "cve": "CVE-2026-37709",
      "product_status": {
        "known_affected": [
          "T053597"
        ]
      },
      "release_date": "2026-05-05T22:00:00.000+00:00",
      "title": "CVE-2026-37709"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44833 (GCVE-0-2026-44833)

FKIE_CVE-2026-44833

GHSA-MGHP-5CQ4-V6MG

Impact

Patches

Workarounds

Resources

WID-SEC-W-2026-1377

Tags

Sightings

Nomenclature