CVE-2026-37709 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: May 7, 2026
grokability snipe-it - Remote Code Execution
Published: May 7, 2026Updated: May 7, 2026Remote Exploitable
Overview
grokability snipe-it <= 8.4.0 contains an insecure permissions vulnerability caused by improper access control in app/Http/Controllers/Api/UploadedFilesController.php, letting remote attackers execute arbitrary code, exploit requires no special privileges.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Remote attackers can execute arbitrary code, potentially leading to full system compromise.
Mitigation
Update to the version after 2026-03-10 commit 676a9958 or the latest available version.
References
Related Resources
Details
- CVE ID
- CVE-2026-37709
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- undefined
- Status
- unconfirmed
CWE
- CWE-284
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H