Description

Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page.

INFO

Published Date :

2025-11-20T00:00:00.000Z

Last Modified :

2025-11-20T21:37:42.668Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64027 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64027.

URL Resource
https://github.com/cybercrewinc/CVE-2025-64027/ cve-icon cve-icon
https://github.com/grokability/snipe-it cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact