CVE-2026-44833

Description

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1.

CVSS breakdown

CVSS 3.1

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Affected products

grokability / snipe-it< 8.4.1 – < 8.4.1

References

VENDOR_ADVISORYhttps://github.com/grokability/snipe-it/security/advisories/GHSA-mghp-5cq4-v6mg
PATCHhttps://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373