Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values.
CVE ID: CVE-2024-48987
Vendor: n/a
Product: n/a
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 11.49% (scored less or equal to compared to others)
EPSS Date: 2025-02-05 (when was this score calculated)