GHSA-r42m-953q-6vjxMediumCVSS 4.8

Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)

Published
May 8, 2026
Last Modified
June 8, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Users with component view access could be impacted by an unescaped notes column.

Patches

This was patched in https://github.com/grokability/snipe-it/commit/28f493d84d057895fbb93b6570e7393a2c2fa438, and is fixed in v8.4.1 or greater.

Workarounds

None.

🎯 Affected products1

  • composer/snipe/snipe-it:< 8.4.1

🔗 References (4)