CVE-2025-15602

Published: Mar 6, 2026

Modified: Mar 9, 2026

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance.

Vendor	Product	Versions
Grokability, Inc.	Snipe-IT	affected `0 - < 8.3.7`

Weaknesses (CWE)

CWE-915

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/grokability/snipe-it/releases/tag/v8.3.7

release-notes

patch

https://snipeitapp.com/

product

https://www.vulncheck.com/advisories/snipe-it-mass-assignment-vulnerability-leading-to-privilege-escalation

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-15602

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References