CVE-2026-37709

Name of the Vulnerable Software and Affected Versions grokability snipe-it versions prior to 8.4.1

Description Insecure permissions allow a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component. Users with permissions to view assets or consumables can send a POST request to the "/api/v1/{object type}/{id}/files" endpoint. The API incorrectly authorizes these requests using view permissions instead of write permissions, allowing the persistence of files and audit log entries.

Recommendations Update to version 8.4.1.