CVE-2026-38533
CVE-2026-38533
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 6.5EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
14 Apr 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected products
n/a · n/apublic PoCs found — 1
cve_referencegithub.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2026-38533/poc.mdunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →