Reflected Cross-Site Scripting in Snipe-IT by Grokability
CVE-2025-64027

6.1MEDIUM

Key Information:

Vendor: Grokability
Status: Snipe-IT
Vendor: CVE Published:; 20 November 2025

🔔 Create Grokability Vulnerability Alert

What is CVE-2025-64027?

Snipe-IT version 8.3.4 (build 20218) is susceptible to a reflected cross-site scripting vulnerability in the CSV Import feature. When an invalid CSV file is uploaded, the application generates a progress message rendered as raw HTML in the admin interface. An attacker can manipulate the POST /livewire/update request to inject malicious HTML or JavaScript into this progress message. Since the server fails to properly sanitize the input, the injected code is executed in the browser of any authenticated admin who accesses the import page, creating a risk of data exposure and session hijacking.

References

https://github.com/grokability/snipe-it

https://github.com/cybercrewinc/CVE-2025-64027/

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 20, 2025
Vulnerability Reserved
Oct 27, 2025

CVE-2025-64027 Data

JSON