WS-2022-0345
Published:May 15, 2026
Updated:May 15, 2026
CSV Injection in CSV files generated by the backend in snipe/snipe-it.
Formula Elements are not sanitized before adding to CSV reports. This leads to CSV formula injection.
Affected Packages
snipe/snipe-it (PHP):
Affected version(s) =dev-fixes/nested_location_selectlist <dev-fixes/no-NO-languageFix Suggestion:
Update to version dev-fixes/no-NO-languagesnipe/snipe-it (PHP):
Affected version(s) =dev-features/better_depreciation_displays_and_api <dev-features/blade_component_for_submitFix Suggestion:
Update to version dev-features/blade_component_for_submitsnipe/snipe-it (PHP):
Affected version(s) >=dev-snyk-upgrade-226c28b0a47b6b2249169e44ad3f5ccc <v5.4.0Fix Suggestion:
Update to version v5.4.0snipe/snipe-it (PHP):
Affected version(s) =dev-features/bulk_asset_checkin_from_list_view <dev-features/bulk_update_asset_nameFix Suggestion:
Update to version dev-features/bulk_update_asset_namesnipe/snipe-it (PHP):
Affected version(s) =dev-snyk-upgrade-d9b3d5060f9cd6bdfb081bded58ce6a6 <dev-snyk-upgrade-919d35b4cfc5d350dfdf05ea3ddd6dc5Fix Suggestion:
Update to version dev-snyk-upgrade-919d35b4cfc5d350dfdf05ea3ddd6dc5snipe/snipe-it (PHP):
Affected version(s) =dev-possible_fix_for_logout <dev-print_view_improvementsFix Suggestion:
Update to version dev-print_view_improvementssnipe/snipe-it (PHP):
Affected version(s) =dev-snyk-fix-4fe443a92c8dea8fb137fbe1be558300 <dev-snyk-fix-3c0a826cc3528a757a82b73bdac60569Fix Suggestion:
Update to version dev-snyk-fix-3c0a826cc3528a757a82b73bdac60569snipe/snipe-it (PHP):
Affected version(s) =dev-snyk-fix-76e90d2881929f98caa2a384c451971b <dev-snyk-fix-432e0a4538aab56f58cbaf50561d2000Fix Suggestion:
Update to version dev-snyk-fix-432e0a4538aab56f58cbaf50561d2000snipe/snipe-it (PHP):
Affected version(s) =dev-integration <dev-jerk_preventionFix Suggestion:
Update to version dev-jerk_preventionsnipe/snipe-it (PHP):
Affected version(s) =dev-snyk-fix-d1c9fd7a6f3b8db3155938935de36b39 <dev-snyk-upgrade-1377cc2d38a76585c814757398543f5fFix Suggestion:
Update to version dev-snyk-upgrade-1377cc2d38a76585c814757398543f5fsnipe/snipe-it (PHP):
Affected version(s) =dev-snyk-upgrade-0f46dbb6c110d0a1cbc822b2daa65af1 <dev-snyk-upgrade-9e05d779a6887be31bf62c8514869d05Fix Suggestion:
Update to version dev-snyk-upgrade-9e05d779a6887be31bf62c8514869d05snipe/snipe-it (PHP):
Affected version(s) >=dev-improve_ldap_search_error_reporting <dev-improve_safety_csv_charset_detectionFix Suggestion:
Update to version dev-improve_safety_csv_charset_detectionsnipe/snipe-it (PHP):
Affected version(s) >=dev-features/sticky_column <dev-features/switch_dash_pie_to_status_typeFix Suggestion:
Update to version dev-features/switch_dash_pie_to_status_typesnipe/snipe-it (PHP):
Affected version(s) =dev-fixes/added_gitkeep_to_eula_pdfs <dev-fixes/added_help_text_to_support_urlFix Suggestion:
Update to version dev-fixes/added_help_text_to_support_urlsnipe/snipe-it (PHP):
Affected version(s) =dev-fixes/fa_map_icon_in_chrome <dev-fixes/fail_with_error_when_uploaded_file_does_not_existFix Suggestion:
Update to version dev-fixes/fail_with_error_when_uploaded_file_does_not_existsnipe/snipe-it (PHP):
Affected version(s) =dev-bug/ch15774/black-mode-is-unreadable-in-list-views <dev-bug/check_for_valid_category_on_printFix Suggestion:
Update to version dev-bug/check_for_valid_category_on_printsnipe/snipe-it (PHP):
Affected version(s) =dev-snyk-fix-85f5adade942b5157bf57dab1c12889c <dev-snyk-upgrade-291b556667d6ffe966495405775b3255Fix Suggestion:
Update to version dev-snyk-upgrade-291b556667d6ffe966495405775b3255snipe/snipe-it (PHP):
Affected version(s) =dev-fixes/fix-for-css-on-column-selector <dev-fixes/fix_crash_on_purged_models_in_activity_reportFix Suggestion:
Update to version dev-fixes/fix_crash_on_purged_models_in_activity_reportsnipe/snipe-it (PHP):
Affected version(s) =dev-dependabot/github_actions/docker/build-push-action-3 <dev-dependabot/github_actions/docker/login-action-3Fix Suggestion:
Update to version dev-dependabot/github_actions/docker/login-action-3snipe/snipe-it (PHP):
Affected version(s) =dev-snyk-upgrade-606115776482fcac3576ea931ec2f582 <dev-uberbrady-patch-2Fix Suggestion:
Update to version dev-uberbrady-patch-2snipe/snipe-it (PHP):
Affected version(s) =dev-features/more_normal_consumables_api <dev-features/more_strictly_disallow_non_slack_checkout_hooksFix Suggestion:
Update to version dev-features/more_strictly_disallow_non_slack_checkout_hookssnipe/snipe-it (PHP):
Affected version(s) =v4.4.0 <dev-dependabot/github_actions/develop/codacy/codacy-analysis-cli-action-4.4.1Fix Suggestion:
Update to version dev-dependabot/github_actions/develop/codacy/codacy-analysis-cli-action-4.4.1snipe/snipe-it (PHP):
Affected version(s) =dev-snyk-fix-25f738095fc3f4dea25af61f5af7df99 <dev-snyk-upgrade-9e465161f7c9fd096a214ca3ad2fae7bFix Suggestion:
Update to version dev-snyk-upgrade-9e465161f7c9fd096a214ca3ad2fae7bsnipe/snipe-it (PHP):
Affected version(s) >=v4.4.1 <v4.7.5Fix Suggestion:
Update to version v4.7.5snipe/snipe-it (PHP):
Affected version(s) =dev-snyk-upgrade-a38b61e5dc82c98d52041a0c1b5b2da0 <dev-snyk-upgrade-f710172d80462b13e2afd012e062cd5dFix Suggestion:
Update to version dev-snyk-upgrade-f710172d80462b13e2afd012e062cd5dsnipe/snipe-it (PHP):
Affected version(s) =dev-snyk-upgrade-19a3757d542372e092f6a139638d9e21 <dev-snyk-upgrade-680ee784d792d1583ed7eaf1f139f2ceFix Suggestion:
Update to version dev-snyk-upgrade-680ee784d792d1583ed7eaf1f139f2cesnipe/snipe-it (PHP):
Affected version(s) =dev-features/experimental_labels <dev-features/google_socialiteFix Suggestion:
Update to version dev-features/google_socialitesnipe/snipe-it (PHP):
Affected version(s) >=dev-l10n_develop <dev-snyk-upgrade-1297c81120d7d845e0fabbe492211d66Fix Suggestion:
Update to version dev-snyk-upgrade-1297c81120d7d845e0fabbe492211d66snipe/snipe-it (PHP):
Affected version(s) =dev-revert-11663-fixes/user_cant_be_deleted_if_has_consumables <dev-revert-12165-fixes/custom_fields_valuesFix Suggestion:
Update to version dev-revert-12165-fixes/custom_fields_valuessnipe/snipe-it (PHP):
Affected version(s) =dev-fix_depreciation_report_v5 <dev-snyk-fix-109de929f33df8035195d2e8d005af8bFix Suggestion:
Update to version dev-snyk-fix-109de929f33df8035195d2e8d005af8bsnipe/snipe-it (PHP):
Affected version(s) =dev-fixes/gate_for_kits_nonsuperadmin <dev-fixes/handle_arrays_on_validation_failureFix Suggestion:
Update to version dev-fixes/handle_arrays_on_validation_failuresnipe/snipe-it (PHP):
Affected version(s) =dev-fixes/set_default_ldap_version <dev-fixes/show_error_when_assigned_to_not_null_but_type_is_nullFix Suggestion:
Update to version dev-fixes/show_error_when_assigned_to_not_null_but_type_is_nullsnipe/snipe-it (PHP):
Affected version(s) =dev-backup_migrator <dev-better_handle_inline_filesFix Suggestion:
Update to version dev-better_handle_inline_filessnipe/snipe-it (PHP):
Affected version(s) >=dev-dependabot/github_actions/docker/metadata-action-4 <v4.1.5Fix Suggestion:
Update to version v4.1.5snipe/snipe-it (PHP):
Affected version(s) >=v4.1.6 <dev-dependabot/github_actions/codacy/codacy-analysis-cli-action-4.2.0Fix Suggestion:
Update to version dev-dependabot/github_actions/codacy/codacy-analysis-cli-action-4.2.0snipe/snipe-it (PHP):
Affected version(s) =dev-features/added_number_format_to_tab_badges <dev-features/added_phone_fax_to_locationsFix Suggestion:
Update to version dev-features/added_phone_fax_to_locationssnipe/snipe-it (PHP):
Affected version(s) =dev-fixes/use_db_column_instead_of_converted_value <dev-fixes/use_more_modern_request_syntax_in_bladesFix Suggestion:
Update to version dev-fixes/use_more_modern_request_syntax_in_bladessnipe/snipe-it (PHP):
Affected version(s) =dev-fixes/api_throttling <dev-fixes/array_key_in_importFix Suggestion:
Update to version dev-fixes/array_key_in_importsnipe/snipe-it (PHP):
Affected version(s) =dev-fixes/update_routes <dev-fixes/updated_apple_urlFix Suggestion:
Update to version dev-fixes/updated_apple_urlsnipe/snipe-it (PHP):
Affected version(s) =dev-features/adds_unescaper_to_execute <dev-features/adds_users_consumables_endpointFix Suggestion:
Update to version dev-features/adds_users_consumables_endpointsnipe/snipe-it (PHP):
Affected version(s) =dev-fix_deprecation_report <dev-fix_for_qr_on_old_label_engineFix Suggestion:
Update to version dev-fix_for_qr_on_old_label_enginesnipe/snipe-it (PHP):
Affected version(s) =dev-snyk-upgrade-0005397ba83c98631126ff98d5471e6d <dev-snyk-upgrade-f577261903c8b2bcda8908451c578b66Fix Suggestion:
Update to version dev-snyk-upgrade-f577261903c8b2bcda8908451c578b66snipe/snipe-it (PHP):
Affected version(s) >=v4.0-alpha <dev-dependabot/github_actions/actions/checkout-4Fix Suggestion:
Update to version dev-dependabot/github_actions/actions/checkout-4snipe/snipe-it (PHP):
Affected version(s) =dev-upgrade_select2 <v2.0Fix Suggestion:
Update to version v2.0snipe/snipe-it (PHP):
Affected version(s) =v3.0 <dev-dependabot/github_actions/actions/checkout-3.1.0Fix Suggestion:
Update to version dev-dependabot/github_actions/actions/checkout-3.1.0snipe/snipe-it (PHP):
Affected version(s) =dev-fixes/better_handle_bad_date_values <dev-fixes/better_handle_data_file_mismatch_in_user_filesFix Suggestion:
Update to version dev-fixes/better_handle_data_file_mismatch_in_user_filessnipe/snipe-it (PHP):
Affected version(s) =dev-features/added_capture_tag_to_file_upload <dev-features/added_created_by_to_groupsFix Suggestion:
Update to version dev-features/added_created_by_to_groupssnipe/snipe-it (PHP):
Affected version(s) =dev-develop-v6 <dev-develop-v6-integrationFix Suggestion:
Update to version dev-develop-v6-integrationsnipe/snipe-it (PHP):
Affected version(s) =dev-snyk-upgrade-354d4d4729c22cbbe5d63561e02e8cf9 <dev-v8_final_mergeFix Suggestion:
Update to version dev-v8_final_mergesnipe/snipe-it (PHP):
Affected version(s) =dev-snyk-upgrade-880f0b8d533071d29c74b717094ac6ff <dev-snyk-upgrade-bd5b0beff2ee8fcecb36dce1879c6aa2Fix Suggestion:
Update to version dev-snyk-upgrade-bd5b0beff2ee8fcecb36dce1879c6aa2snipe/snipe-it (PHP):
Affected version(s) =dev-snyk-upgrade-024e246b67a996f99471215eb826285e <dev-snyk-upgrade-a83a4a1aa505b3530304a69dc8db7157Fix Suggestion:
Update to version dev-snyk-upgrade-a83a4a1aa505b3530304a69dc8db7157snipe/snipe-it (PHP):
Affected version(s) =dev-snyk-fix-a992b5202c0c6f1bc0166bb6963a1648 <dev-snyk-upgrade-0c59f405145c50aecd391737f21e1695Fix Suggestion:
Update to version dev-snyk-upgrade-0c59f405145c50aecd391737f21e1695snipe/snipe-it (PHP):
Affected version(s) =dev-feature/ch15660/nicer-formatting-of-the-page-if-custom-logout <dev-feature/google_login_more_prominentFix Suggestion:
Update to version dev-feature/google_login_more_prominentsnipe/snipe-it (PHP):
Affected version(s) =dev-snyk-fix-77c6e105b65be90c7f4726af85cc337f <dev-snyk-upgrade-9826430530842ed3fefb3dd1972343ccFix Suggestion:
Update to version dev-snyk-upgrade-9826430530842ed3fefb3dd1972343ccsnipe/snipe-it (PHP):
Affected version(s) >=v4.2.0 <dev-dependabot/github_actions/develop/codacy/codacy-analysis-cli-action-4.4.0Fix Suggestion:
Update to version dev-dependabot/github_actions/develop/codacy/codacy-analysis-cli-action-4.4.0snipe/snipe-it (PHP):
Affected version(s) >=v3.1.0 <dev-security/snyk_Upgrade-jspdf-autotable-from-3.8.1-to-3.8.2-14365Fix Suggestion:
Update to version dev-security/snyk_Upgrade-jspdf-autotable-from-3.8.1-to-3.8.2-14365snipe/snipe-it (PHP):
Affected version(s) =dev-fixes/smaller_padlock_on_table_header <dev-fixes/smarter_decryption_in_activityFix Suggestion:
Update to version dev-fixes/smarter_decryption_in_activitysnipe/snipe-it (PHP):
Affected version(s) =dev-feature/add_base_templates <dev-feature/ch15358/feature-request-allow-configurable-depreciationFix Suggestion:
Update to version dev-feature/ch15358/feature-request-allow-configurable-depreciationsnipe/snipe-it (PHP):
Affected version(s) >=v5.4.1 <dev-develop-v6-rc1Fix Suggestion:
Update to version dev-develop-v6-rc1snipe/snipe-it (PHP):
Affected version(s) =dev-features/accessories_users <dev-features/add_accept_pdf_to_asset_endpointFix Suggestion:
Update to version dev-features/add_accept_pdf_to_asset_endpointsnipe/snipe-it (PHP):
Affected version(s) =dev-rebased_added_gitkeep_to_to_eula_pdfs <dev-redirect-on-print-if-user-invalidFix Suggestion:
Update to version dev-redirect-on-print-if-user-invalidsnipe/snipe-it (PHP):
Affected version(s) =dev-revert-11016-patch-1 <dev-fixes/pr_12106_missing_slash_for_stdClassFix Suggestion:
Update to version dev-fixes/pr_12106_missing_slash_for_stdClasssnipe/snipe-it (PHP):
Affected version(s) =dev-snyk-upgrade-f4b6c42dd687561a48fbbd915415d6d1 <dev-snyk-upgrade-23af2ac368155dc386040447ab4dee5eFix Suggestion:
Update to version dev-snyk-upgrade-23af2ac368155dc386040447ab4dee5esnipe/snipe-it (PHP):
Affected version(s) =dev-master <dev-more_print_fixesFix Suggestion:
Update to version dev-more_print_fixessnipe/snipe-it (PHP):
Affected version(s) >=dev-dependabot/github_actions/docker/login-action-2 <dev-fixes/added_2fa_stringFix Suggestion:
Update to version dev-fixes/added_2fa_stringsnipe/snipe-it (PHP):
Affected version(s) =dev-features/nicer_ui_for_groups <dev-features/nicer_view_assets_ui_for_regular_usersFix Suggestion:
Update to version dev-features/nicer_view_assets_ui_for_regular_userssnipe/snipe-it (PHP):
Affected version(s) >=v3.0-alpha <dev-dependabot/github_actions/actions/checkout-3Fix Suggestion:
Update to version dev-dependabot/github_actions/actions/checkout-3snipe/snipe-it (PHP):
Affected version(s) >=v4.7.6 <dev-dependabot/github_actions/docker/build-push-action-5Fix Suggestion:
Update to version dev-dependabot/github_actions/docker/build-push-action-5snipe/snipe-it (PHP):
Affected version(s) =dev-fixes/fix_ldap_js <dev-fixes/fixed_accessory_not_found_stringFix Suggestion:
Update to version dev-fixes/fixed_accessory_not_found_stringsnipe/snipe-it (PHP):
Affected version(s) =dev-develop <dev-disallow_bad_group_dataFix Suggestion:
Update to version dev-disallow_bad_group_datasnipe/snipe-it (PHP):
Affected version(s) >=v6.0.0 <v6.0.11Fix Suggestion:
Update to version v6.0.11snipe/snipe-it (PHP):
Affected version(s) =dev-snyk-upgrade-335c0c078a71db28e3cbc7d151e19ab6 <dev-fixes/support_apache_24Fix Suggestion:
Update to version dev-fixes/support_apache_24snipe/snipe-it (PHP):
Affected version(s) =dev-features/add_url_in_export <dev-features/add_warranty_link_even_if_no_warranty_setFix Suggestion:
Update to version dev-features/add_warranty_link_even_if_no_warranty_setsnipe/snipe-it (PHP):
Affected version(s) =dev-snyk-fix-16fb0964121e9f33a31ba2a5db2ff491 <dev-fixes/500_error_when_cloning_invalid_accessoryFix Suggestion:
Update to version dev-fixes/500_error_when_cloning_invalid_accessorysnipe/snipe-it (PHP):
Affected version(s) =dev-snyk-upgrade-b2b26cf8ec7a697fe0094f699652a345 <dev-snyk-upgrade-c984383061fd11ea3aa23a32407aa002Fix Suggestion:
Update to version dev-snyk-upgrade-c984383061fd11ea3aa23a32407aa002snipe/snipe-it (PHP):
Affected version(s) =dev-snyk-upgrade-e4f7076f1b4be8ac5cadcc7632c45a0e <dev-snyk-upgrade-48895ab5d277cdb4eb4964f8cdb50fa9Fix Suggestion:
Update to version dev-snyk-upgrade-48895ab5d277cdb4eb4964f8cdb50fa9snipe/snipe-it (PHP):
Affected version(s) =dev-fixes/add_additional_curreny_formats_and_split_api_results <dev-fixes/add_json_to_mimesFix Suggestion:
Update to version dev-fixes/add_json_to_mimessnipe/snipe-it (PHP):
Affected version(s) =dev-features/adds_ldap_import_and_assets_count_to_user_api <dev-features/adds_license_checkin_checkout_to_all_in_guiFix Suggestion:
Update to version dev-features/adds_license_checkin_checkout_to_all_in_guiRelated Resources (1)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE