Back to KEVs

CVE-2025-64027

Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is...

Basic Information

CVE State: PUBLISHED
Reserved Date: October 27, 2025
Published Date: November 20, 2025
Last Updated: November 26, 2025
Vendor: n/a
Product: n/a
Description: Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page. NOTE: this is disputed by the Supplier because the report only demonstrates that an authenticated user can choose to conduct a man-in-the-middle attack against himself.

CVSS Scores

CVSS v3.1

6.1 - MEDIUM

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC Information

Exploitation: poc
Technical Impact: partial

Exploit Status

Exploited in the Wild: Yes (2025-11-17 15:00:08 UTC) Source

References

https://github.com/grokability/snipe-it https://github.com/cybercrewinc/CVE-2025-64027/

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-11-17 15:00:08 UTC

Timeline

CVE ID Reserved

October 27, 2025
Added to KEVIntel

November 17, 2025
CVE Published to Public

November 20, 2025