CVE Catalog

CVE-2026-37709

Critical
Published: Translated: NVD NIST

Summary

The CVE-2026-37709 vulnerability involves insecure permissions in grokability snipe-it version 8.4.0 and earlier, fixed after commit 676a9958 on March 10, 2026. This allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component.

Risk Assessment

The organization is at risk of remote code execution, which could lead to system compromise and data leakage.

Recommendation

It is recommended to update to grokability snipe-it version after commit 676a9958 to eliminate this vulnerability.

Original NVD description (English source)

Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component

Vulnerability data from NVD (NIST) · CISA KEV · EPSS