Headline
GHSA-8x9v-8qgj-945x: Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-64027
Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow
Moderate severity GitHub Reviewed Published Nov 20, 2025 to the GitHub Advisory Database • Updated Nov 20, 2025
Package
composer snipe/snipe-it (Composer)
Affected versions
<= 8.3.4
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-64027
- https://github.com/cybercrewinc/CVE-2025-64027
- https://github.com/grokability/snipe-it
Published to the GitHub Advisory Database
Nov 20, 2025
Last updated
Nov 20, 2025