CVE-2026-54329
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
10/07/2026
Last modified:
10/07/2026
Description
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while company_id is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another company when Full Multiple Companies Support is enabled. This issue is fixed in version 8.6.2.
Impact
Base Score 3.x
8.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:snipeitapp:snipe-it:*:*:*:*:*:*:*:* | 8.6.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/grokability/snipe-it/commit/6a0ec6945126a79fc25c0990c99abe632db370c3
- https://github.com/grokability/snipe-it/commit/dc8cbf4786bb38b260b4ae1723ec9e7f81d82fe5
- https://github.com/grokability/snipe-it/commit/e2bea57146eb3a3781b5eb21b69d7e04cc87c268
- https://github.com/grokability/snipe-it/releases/tag/v8.6.2
- https://github.com/grokability/snipe-it/security/advisories/GHSA-pwpj-p52h-q484



