Open Redirect Affecting snipe/snipe-it package, versions <8.4.1

Q: How to fix?

Upgrade snipe/snipe-it to version 8.4.1 or higher.

Threat Intelligence

0.01% (3^rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Open Redirect vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PHP-SNIPESNIPEIT-17112593
published31 May 2026
disclosed26 May 2026
creditCE2Sec

Report a new vulnerability Found a mistake?

Introduced: 26 May 2026

NewCVE-2026-44833 (opens in a new tab) CWE-601 (opens in a new tab)

How to fix?

Upgrade snipe/snipe-it to version 8.4.1 or higher.

Overview

snipe/snipe-it is an asset management system built on Laravel.

Affected versions of this package are vulnerable to Open Redirect via the unvalidated HTTP Referer header stored in a session variable. An attacker can redirect users to arbitrary external sites by crafting a malicious link and convincing a user to follow it.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Adjacent
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
Passive

Confidentiality (VC)
Low
Integrity (VI)
Low
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None