Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible stored payload requires low-privilege auth (PR:L), mandatory victim interaction to open the CSV (UI:R), and scope change since execution occurs on the viewer's workstation (S:C/C:L/I:L).
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction() stores the request User-Agent header and ReportsController::postActivityReport() writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a formula-like User-Agent that may execute when a report viewer opens the exported CSV in spreadsheet software. This issue is fixed in version 8.5.0.
AnalysisAI
CSV formula injection in Snipe-IT prior to version 8.5.0 enables a low-privileged authenticated user to store a malicious spreadsheet formula via the HTTP User-Agent header, which is then written unescaped into exported Activity Report CSV files. When an administrator or report viewer opens the exported file in spreadsheet software such as Microsoft Excel or LibreOffice Calc, the embedded formula executes within their local application environment, potentially enabling data exfiltration or arbitrary command execution on the viewer's workstation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the attacker possesses a valid, low-privileged authenticated account on the Snipe-IT instance (confirmed by PR:L in the CVSS 4.0 vector); (2) the attacker sends at least one authenticated HTTP request with a formula-prefixed User-Agent header, causing Actionlog::logaction() to store the payload; (3) a separate user - typically an administrator with access to the Reports module - must export the Activity Report and open the resulting CSV in spreadsheet software that evaluates formula elements (e.g., Microsoft Excel, LibreOffice Calc). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 4.8 (Medium) accurately reflects the constrained impact profile: while the attack is network-accessible with low complexity and low privilege (AV:N/AC:L/PR:L), mandatory active user interaction is required (UI:A) - a victim administrator must export and open the Activity Report CSV in formula-executing spreadsheet software before the payload fires. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged Snipe-IT user sets their HTTP client's User-Agent header to a formula string such as =cmd|'/C powershell -enc ...'!A0 before making authenticated requests to the application. Snipe-IT logs this value verbatim in the activity table. … |
| Remediation | Upgrade to Snipe-IT version 8.5.0, which resolves the issue via the fix committed at https://github.com/grokability/snipe-it/commit/7b7d2c87fbc965a7933b1bf9e3f2c331b8c8e19c; the vendor security advisory is at https://github.com/grokability/snipe-it/security/advisories/GHSA-whrx-mmgr-gpcf. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3. Rated high severity (CVSS 8.8),
In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. Rated high severity (CVSS 8.8), this
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot
Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. Rated high severity (CVSS 8.0), this vulnerability
Old sessions are not blocked by the login enable function. Rated high severity (CVSS 7.4), this vulnerability is remotel
snipe-it is vulnerable to Server-Side Request Forgery (SSRF). Rated high severity (CVSS 7.2), this vulnerability is remo
Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the AP
Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4. Rated medium severity (CVSS 6.5), this vulnera
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me
Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42997