Cyber Posture

CVE-2026-44833

Medium
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: affectedAppOther: not affectedOth

Published: 26 May 2026

Published
26 May 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score 5.9 CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0001 1.1th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44833 is a medium-severity Open Redirect (CWE-601) vulnerability in Snipeitapp Snipe-It. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Spearphishing Link (T1566.002) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AT-2 Literacy Training and Awareness
addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

SI-10 Information Input Validation
addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
attack.mitre.org →
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
Why these techniques?

Open redirect (CWE-601) directly enables crafting malicious links that abuse the vulnerable redirect to reach attacker sites, facilitating spearphishing links and user execution of malicious content.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-601
OWASP Top 10 Web 2025
A01:2025

Affected Products

snipeitapp
snipe-it
≤ 8.4.1

EU & UK References

References