CVE-2026-37709

Grokability · Snipe-IT

An insecure permissions vulnerability in Snipe-IT allows remote attackers to execute arbitrary code through the UploadedFilesController component.

Executive summary

A critical remote code execution vulnerability in Snipe-IT allows unauthenticated attackers to gain control of the application server via malicious file uploads.

Vulnerability

The application fails to properly secure file permissions within the app/Http/Controllers/Api/UploadedFilesController.php component. This allows a remote attacker to upload and execute arbitrary code on the underlying server.

Business impact

With a CVSS score of 9.8, this flaw represents the highest level of risk, enabling full remote code execution. Attackers can gain complete control over the Snipe-IT instance, potentially leading to total data exfiltration, lateral movement within the network, and complete system takeover.

Remediation

Immediate Action: Update Snipe-IT to the version containing the fix for commit 676a9958 (released after 2026-03-10).

Proactive Monitoring: Inspect the app/Http/Controllers/Api/ directory and upload folders for suspicious files or unexpected executable scripts.

Compensating Controls: Use a Web Application Firewall (WAF) to block suspicious HTTP requests targeting the UploadedFilesController.php endpoint.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Remote Code Execution vulnerabilities are critical and require immediate remediation. Organizations must ensure their Snipe-IT deployment is updated beyond the specified commit to eliminate the risk of total system compromise.