CVE-2025-64027

Name of the Vulnerable Software and Affected Versions Snipe-IT version 8.3.4 (build 20218)

Description The software contains a reflected cross-site scripting (XSS) issue within the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress message value that is rendered as raw HTML in the admin interface. An attacker can modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress message. The server accepts this modified input without sanitization and reflects it back to the user, leading to the execution of arbitrary JavaScript in the browser of any authenticated admin viewing the import page.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, carefully validate and sanitize all CSV files before uploading them. Restrict access to the CSV Import workflow to trusted administrators only.