What is the CVSS score of CVE-2026-37709?

CVE-2026-37709 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Snipe-IT are affected by CVE-2026-37709?

Snipe-IT versions 8.4.0 and earlier contain a critical remote code execution vulnerability in the file upload API that allows unauthenticated attackers to execute arbitrary code by bypassing…. A patch is available.

Snipe-IT CVE-2026-37709

EUVD-2026-28401 CRITICAL

Improper Access Control (CWE-284)

2026-05-07 mitre

GHSA-xg82-2hrv-hf64

PHP Authentication Bypass RCE

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 07, 2026 - 20:30 vuln.today

Analysis Generated

May 07, 2026 - 20:30 vuln.today

CVSS changed

May 07, 2026 - 18:22 NVD

9.8 (CRITICAL)

CVE Published

May 07, 2026 - 00:00 nvd

UNKNOWN (no severity yet)

CVE Published

May 07, 2026 - 00:00 nvd

CRITICAL 9.8

DescriptionNVD

Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component

AnalysisAI

Remote unauthenticated attackers can execute arbitrary code in Snipe-IT versions 8.4.0 and earlier by uploading malicious files through the API's UploadedFilesController component. The vulnerability stems from an authorization bypass where file upload endpoints required only 'view' permission instead of 'update' permission, allowing attackers to upload and execute code without proper authentication. …

RemediationAI

Within 24 hours: Immediately restrict network access to Snipe-IT API endpoints (specifically UploadedFilesController) using firewall or WAF rules to block external file uploads. Within 7 days: Upgrade to Snipe-IT version containing commit 676a9958 or later (released March 10, 2026 or newer); verify the specific patched version via the vendor's release notes. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-37709 vulnerability details – vuln.today

Back

Snipe-IT CVE-2026-37709

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code