Snipe-IT ships a coordinated batch of ~11 advisories — cross-tenant injection and bulk-edit privilege escalation lead
Snipe-IT, the widely self-hosted IT asset manager, published a coordinated batch of roughly eleven advisories late in the evening, led by a cross-tenant accessory injection where a low-privileged user in one company writes records into another (CVE-2026-54329, CVSS 8.5) and a bulk user-edit that lets an operator flip `ldap_import` and `activated_in` to escalate accounts (CVE-2026-48507, 7.1). The cluster is almost entirely tenancy- and authorization-boundary failures — multi-tenancy bypass via bulk asset update, CSV-import account escalation, a 2FA-reset bypass, brute-forceable TOTP, IDOR file deletion — the shape you get when one product is audited end-to-end, and on a shared Snipe-IT instance any one of them collapses the wall between orgs. Upgrade past 8.6.1 to the patched release tonight; if you run it multi-tenant, treat cross-company data as potentially already mixed until you can audit.