Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Network vector via web interface; PR:H because both import and assets.update permissions must be held; no confidentiality impact as only deletion occurs.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the server process. This issue is fixed in version 8.6.2.
AnalysisAI
Arbitrary file deletion in Snipe-IT prior to 8.6.2 allows an authenticated attacker holding both import and assets.update permissions to delete any file readable by the server process via a path traversal string injected into the asset image field during CSV import. The vulnerability is triggered in a two-stage pattern: first importing a crafted CSV, then invoking the image deletion action, which follows the unsanitized path without boundary checks. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with a Snipe-IT account that has been granted BOTH the import permission AND the assets.update permission - two distinct, administratively-assigned roles that must coexist on the same account. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS base score of 6.5 with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H accurately reflects the threat profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls a Snipe-IT account with both import and assets.update permissions prepares a CSV file containing a crafted asset image field value such as '../../var/www/snipe-it/.env' or another sensitive server path. After importing the CSV via the standard import interface, the attacker triggers the asset image deletion action on the affected record, causing the server to delete the targeted file outside the intended upload directory. … |
| Remediation | Upgrade Snipe-IT to version 8.6.2 or later, which contains the patch referenced in commit abc4363e8393b29a5566b8c50144426af72bbc97 (https://github.com/grokability/snipe-it/commit/abc4363e8393b29a5566b8c50144426af72bbc97). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3. Rated high severity (CVSS 8.8),
In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. Rated high severity (CVSS 8.8), this
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot
Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. Rated high severity (CVSS 8.0), this vulnerability
Old sessions are not blocked by the login enable function. Rated high severity (CVSS 7.4), this vulnerability is remotel
snipe-it is vulnerable to Server-Side Request Forgery (SSRF). Rated high severity (CVSS 7.2), this vulnerability is remo
Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the AP
Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4. Rated medium severity (CVSS 6.5), this vulnera
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me
Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43000