CVE-2026-37709
CriticalSummary
The CVE-2026-37709 vulnerability involves insecure permissions in grokability snipe-it version 8.4.0 and earlier, fixed after commit 676a9958 on March 10, 2026. This allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component.
Risk Assessment
The organization is at risk of remote code execution, which could lead to system compromise and data leakage.
Recommendation
It is recommended to update to grokability snipe-it version after commit 676a9958 to eliminate this vulnerability.
Original NVD description (English source)
Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component

