CVE-2026-37709
Grokability · Snipe-IT
An insecure permissions vulnerability in Snipe-IT allows remote attackers to execute arbitrary code through the UploadedFilesController component.
Executive summary
A critical remote code execution vulnerability in Snipe-IT allows unauthenticated attackers to gain control of the application server via malicious file uploads.
Vulnerability
The application fails to properly secure file permissions within the app/Http/Controllers/Api/UploadedFilesController.php component. This allows a remote attacker to upload and execute arbitrary code on the underlying server.
Business impact
With a CVSS score of 9.8, this flaw represents the highest level of risk, enabling full remote code execution. Attackers can gain complete control over the Snipe-IT instance, potentially leading to total data exfiltration, lateral movement within the network, and complete system takeover.
Remediation
Immediate Action: Update Snipe-IT to the version containing the fix for commit 676a9958 (released after 2026-03-10).
Proactive Monitoring: Inspect the app/Http/Controllers/Api/ directory and upload folders for suspicious files or unexpected executable scripts.
Compensating Controls: Use a Web Application Firewall (WAF) to block suspicious HTTP requests targeting the UploadedFilesController.php endpoint.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Remote Code Execution vulnerabilities are critical and require immediate remediation. Organizations must ensure their Snipe-IT deployment is updated beyond the specified commit to eliminate the risk of total system compromise.