GHSA-r42m-953q-6vjx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r42m-953q-6vjx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-r42m-953q-6vjx/GHSA-r42m-953q-6vjx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r42m-953q-6vjx
- Aliases
-
- CVE-2026-44831
- Published
- 2026-05-08T22:23:41Z
- Modified
- 2026-05-08T22:34:22.709323Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)
- Details
-
Impact
Users with component view access could be impacted by an unescaped
notescolumn.Patches
This was patched in https://github.com/grokability/snipe-it/commit/28f493d84d057895fbb93b6570e7393a2c2fa438, and is fixed in v8.4.1 or greater.
Workarounds
None.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-08T22:23:41Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "nvd_published_at": null }- References
Affected packages
Packagist / snipe/snipe-it
Package
- Name
- snipe/snipe-it
- Purl
- pkg:composer/snipe/snipe-it
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed8.4.1
Affected versions
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.2.0
v0.3.0-alpha
v0.3.7-alpha
v0.3.8-alpha
v0.3.9-alpha
v0.3.10-alpha
v0.3.11-alpha
v1.*
v1.0
v1.1
v1.2.0
v1.2.1
v1.2.2
v1.2.3-beta
v1.2.3
v1.2.4-beta
v1.2.4
v1.2.5
v1.2.6-beta
v1.2.6
v1.2.6.1
v1.2.7-beta
v1.2.7
v1.2.8
v1.2.9
v1.2.10
v1.2.11
v2.*
v2.0-beta
v2.0-RC-1
v2.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.1.0
v2.1.1
v2.1.2
v3.*
v3.0-alpha
v3.0-alpha2
v3.0-beta.1
v3.0-beta.2
v3.0-beta.3
v3.0
v3.0.0-beta
v3.1.0
v3.3.0-beta
v3.3.0
v3.4
v3.4.0-alpha
v3.4.0-beta
v3.5.0-beta
v3.5.0-beta2
v3.5.0
v3.5.1
v3.5.2
v3.6.0
v3.6.1
v3.6.2
v3.6.3
v3.6.4
v3.6.5
v3.6.6
3.*
3.2.0
Other
v4-beta3
v4-beta4
v4.*
v4.0-alpha
v4.0-alpha-2
v4.0-beta
v4.0-beta2
v4.0-beta5
v4.0-beta6
v4.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.1.0-beta
v4.1.0-beta2
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.1.10
v4.1.11
v4.1.12
v4.1.13
v4.1.14
v4.2.0
v4.3.0
v4.4.0
v4.4.1
v4.5.0
v4.6.0
v4.6.1
v4.6.2
v4.6.3
v4.6.4
v4.6.5
v4.6.6
v4.6.7
v4.6.8
v4.6.9
v4.6.10
v4.6.11
v4.6.12
v4.6.13
v4.6.14
v4.6.15
v4.6.16
v4.6.17
v4.6.18
v4.7.0
v4.7.1
v4.7.2
v4.7.3
v4.7.4
v4.7.5
v4.7.6
v4.7.7
v4.7.8
v4.8.0
v4.9.0
v4.9.1
v4.9.2
v4.9.3
v4.9.4
v4.9.5
v5.*
v5.0.0-beta-1.0
v5.0.0-beta-1.1
v5.0.0-beta-2
v5.0.0-beta-3.0
v5.0.0-beta-4
v5.0.0-beta-5
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.0.10
v5.0.11
v5.0.12
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.1.4
v5.1.5
v5.1.6
v5.1.7
v5.1.8
v5.2.0
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.3.5
v5.3.6
v5.3.7
v5.3.8
v5.3.9
v5.3.10
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v6.*
v6.0.0-RC-1
v6.0.0-RC-2
v6.0.0-RC-3
v6.0.0-RC-4
v6.0.0-RC-5
v6.0.0-RC-6
v6.0.0-RC-7
v6.0.0-RC-8
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.0.10
v6.0.11
v6.0.12
v6.0.13
v6.0.14
v6.1.0
v6.1.1
v6.1.2
v6.2.0
v6.2.1
v6.2.2
v6.2.3
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.4.0
v6.4.1
v6.4.2
v7.*
v7.0.0
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.0.8
v7.0.9
v7.0.10
v7.0.11
v7.0.12
v7.0.13
v7.1.14
v7.1.15
v7.1.16
v7.1.17
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.0.4
v8.1.0
v8.1.1
v8.1.2
v8.1.3
v8.1.4
v8.1.15
v8.1.16
v8.1.17
v8.1.18
v8.2.0
v8.2.1
v8.3.0
v8.3.1
v8.3.2
v8.3.3
v8.3.4
v8.3.5
v8.3.6
v8.3.7
v8.4.0