ITAM
DEX platform 2026: 8 tools compared (price, signals, agent)
DEX platform 2026 comparison: Nexthink, Lakeside, 1E, ControlUp, Riverbed, sobrii, Microsoft Viva, Almaden — telemetry depth, pricing, agent footprint, FR/EN parity.
13 min read
ITAM
Snipe-IT review 2026: pricing, CVEs, alternative
Citation capsule
- "Snipe-IT Cloud starts at $39.99/month for the entry tier (5 users, 100 assets), self-hosted remains free under AGPLv3 (Source: snipeitapp.com, 2026)"
- "CVE-2026-37709 (CVSS 9.8) was a critical RCE in Snipe-IT through 8.4.0 via UploadedFilesController, patched March 2026 (Source: NVD, 2026)"
- "Snipe-IT v8.0 (February 2025) added breadcrumbs and Laravel UX improvements but no major API changes (Source: Grokstar, 2025)"
Snipe-IT is the cheapest defensible answer to the question "how do we track what we own". It is an asset-registry product — not an ITAM platform. The distinction matters because three other open-source tools (GLPI, OCS Inventory, NetBox) confuse the same buyer, and four paid SaaS tools (Lansweeper, ServiceNow ITAM, Atera, sobrii) compete for the same budget line. This review locks in what Snipe-IT actually does in 2026 — and where it stops.
For comparison context, see our IT asset management pillar and the GLPI alternative comparison.
What is Snipe-IT in 2026
Snipe-IT is a web-based asset management application written in PHP on the Laravel framework, maintained by Grokability Inc. The core engine has been open source since 2013 under AGPLv3. A Cloud offering, launched in 2019, hosts the same code on Grokability infrastructure with managed updates and backups.
The data model is simple by design: assets, models, manufacturers, suppliers, categories, locations, users, consumables, components, licenses. Every record can carry custom fields. Snipe-IT does not run an agent. There is no discovery scan, no software inventory, no usage telemetry. You feed the database — by import, by API, by hand, by barcode scan. Snipe-IT reads it back to you on request.
Snipe-IT pricing — verified May 2026
Self-hosted. Free under AGPLv3. You run it on your own LAMP stack — typical install: Ubuntu, MySQL/MariaDB, PHP 8.1+, Nginx or Apache. License obligation: if you fork and distribute, your source must be available under AGPLv3.
Snipe-IT Cloud. Hosted by Grokability, all updates included.
| Tier | Users | Assets | Monthly |
|---|---|---|---|
| Entry | 5 | 100 | $39.99 |
| Small | varies | varies | scales by user and asset count |
| Custom | unlimited | unlimited | quote-based |
Source: snipeitapp.com, accessed May 2026. The published page emphasises "5 users, 100 assets" at entry — higher tiers are listed but the scale moves by user count and asset volume, with bespoke negotiation past the small business band.
For a 200-device fleet with 10 IT users, real-world quotes land around $100–$130/month — derived rate roughly $7–$10/device/year, far cheaper than Lansweeper Starter at €1.19/asset/yr translated to broader feature scope. Snipe-IT's price advantage holds only because the feature scope is narrower.
What Snipe-IT does well
Asset tracking with barcodes. Print labels, scan with a phone, check in/out, audit. Snipe-IT's barcode workflow is the gold standard for SMB IT inventories. Reddit r/sysadmin threads from 2024–2026 repeatedly call out the barcode UX as "the reason we stayed".
License management. Track seats, expiration dates, multi-pack assignments, document attachments. Rare in free tools, common pain point for finance teams.
Custom fields and custom fieldsets. Every model class supports user-defined fields. A laptop can carry "warranty expiration", "purchase order", "encryption status", "compliance tag" — typed, validated, searchable.
REST API. Documented, stable, OAuth2-protected. Reddit and G2 reviews consistently praise the API as the integration backbone — Snipe-IT pairs well with Zapier, Power Automate, and custom Python scripts.
30+ built-in reports. Asset audit reports, depreciation schedules, license expiration warnings, low-inventory alerts, custom report builder.
Mobile-friendly web UI. Works on any device for audits and updates. No native iOS or Android app — the web app handles mobile camera barcode scans through the browser.
Where Snipe-IT falls short
No discovery agent. Snipe-IT does not scan networks, does not inventory installed software, does not capture hardware specs automatically. You enter the data — or import from another system. For an organisation with 500 endpoints and frequent hardware refreshes, the manual upkeep cost adds up.
No telemetry. No CPU/RAM/disk monitoring, no boot time, no application usage, no per-device energy. Snipe-IT is a static database — what it says about a laptop is what was last entered.
No remote control. No screen sharing, no remote session, no scripting. Out of scope by design.
Patch and compliance gaps. Snipe-IT tells you a laptop exists. It does not tell you whether that laptop has CVE-2024-49606 unpatched.
Setup friction. Self-hosted Snipe-IT requires a real LAMP stack and ongoing OS-level maintenance. G2 ease-of-use scores hover near 3.8/5 — value scores at 4.5/5+. The split tells the story: powerful for what it does, painful to stand up.
Ease-of-use cliff at scale. Custom field permissioning, multi-location workflows, and bulk operations get unwieldy past ~2,000 assets and ~50 users. Reddit calls it "great at 500, friction at 2,000, broken at 5,000".
Snipe-IT CVE history — the part you cannot skip
Snipe-IT has a richer CVE history than most ITAM tools at its size. The product surface — file uploads, custom fields, user permissions, API endpoints — is broad, and the maintainer base is small. The pattern is consistent: vulnerabilities are reported responsibly, patched promptly, but new ones surface every release cycle.
Recent high-impact entries:
| CVE | CVSS | Description | Affected | Year |
|---|---|---|---|---|
| CVE-2026-37709 | 9.8 (Critical) | RCE via insecure file upload in UploadedFilesController | ≤8.4.0 | 2026 |
| CVE-2026-44832 | High | Privilege escalation via API permissions PATCH | ≤8.4.0 | 2026 |
| CVE-2026-38533 | Medium | Improper authorization on /api/v1/users/ | 8.4.0 | 2026 |
| CVE-2025-47226 | Medium | Insecure Direct Object Reference (IDOR) | 8.0.4 | 2025 |
| CVE-2023-5452 (updated 2024) | 5.4 | Stored XSS | <6.2.2 | 2024 |
Source: NVD, SentinelOne Vulnerability Database, GitHub Security Advisories.
Operational takeaway: Snipe-IT users must patch on the release-day cadence. The Cloud tier handles this automatically. Self-hosted operators carry the patching burden — and the 2026 RCE in particular sat unpatched on many self-hosted installs for weeks before announcements propagated.
Snipe-IT v8 — what shipped February 2025
The v8.0 release (announced February 2025 by Grokability) focused on UX consistency: a breadcrumb navigation system, Laravel framework upgrade, and accelerated test-suite execution. No major API changes — existing integrations continued to work without modification. Post-launch patches (v8.1, v8.2, v8.2.1) shipped through 2025 and into 2026 to address the CVEs above.
Source: grokstar.dev and github.com/grokability/snipe-it/releases.
When to keep Snipe-IT, when to migrate
Keep Snipe-IT if at least three are true:
- Fleet size 50–2,000 endpoints
- Asset registry is the only ITAM need — discovery and telemetry are handled elsewhere or not required
- Budget for ITAM is sub-$5,000/year
- Your IT team can run a LAMP stack or accept Snipe-IT Cloud at $39.99–$130/month
- Barcode-based audits are a recurring workflow
Migrate if at least three match:
- Fleet size approaches 2,000+ endpoints with multi-location complexity
- You need software inventory, license usage measurement, or hardware telemetry
- CSRD or ESRS E1 carbon reporting is in scope
- You want to consolidate remote control and asset management in one product
- Compliance auditors require automated discovery rather than manual entry
- The self-hosted patching workload is taking IT time you cannot afford
Sobrii ships one Rust agent — discovery, telemetry, remote control
One Rust agent, < 1% CPU. Snipe-IT has no agent at all — you feed the database. The ITAM industry average past Snipe-IT stacks a Lansweeper Java scanner, an MDM, an EDR, an RMM, and a DEX tool. sobrii ships one signed, sandboxed Rust binary that handles discovery, hardware telemetry, software inventory, per-app energy, and WebRTC remote control. Measured footprint stays under 1% CPU on Windows and macOS. Fewer agents means smaller attack surface, less battery drain, less support overhead.
The structural gap with Snipe-IT is not feature parity — it is the existence of telemetry. Snipe-IT will tell you a Dell Latitude 5430 exists and is assigned to Marie. sobrii tells you the same laptop runs at 67% average CPU during business hours, crashes Teams 2.4 times per day, has 312 days of battery life left, and emitted 14.6 kg CO₂ last quarter.
Why sobrii's lifecycle adds a 4th decision: reallocate
sobrii adds a 4th lifecycle decision: reallocate. Where Snipe-IT records the status of an asset (deployable, deployed, archived, broken), sobrii computes 4 options per device — upgrade, repair, reallocate (to the next employee), replace — with cost and CO₂ for each. Snipe-IT requires you to make the decision yourself and log it. sobrii surfaces the math: a Dell Latitude 5420 with 18 months on a Marketing user is worth €420 reallocated to a Sales user (3-year extension) versus €0 in resale or €120 in environmental cost if replaced.
The reallocate branch extends average service life by 12–18 months and halves per-device embodied carbon. Snipe-IT cannot expose this — there is no telemetry behind the asset record.
See how sobrii's Pilotage Financier exposes the 4th decision.
sobrii measures kWh per employee, not per site
sobrii measures kWh per employee, not per site. The Rust agent captures real consumption (CPU/GPU/screen/battery) second-by-second, then applies the regional grid emission factor (Ember, EPA eGRID) to produce kg-CO₂ per employee per month — exportable directly to CSRD ESRS E1. No category-average proxies: measurement is per device, aggregated per employee.
Snipe-IT has no emissions module. The only sustainability claim a Snipe-IT install can make is "we tracked the asset before recycling it" — true, but not enough for CSRD ESRS E1.
Remote control is bundled — no TeamViewer line item
Remote control is in the plan, not an add-on. Snipe-IT does not include remote control. To take a session, you need TeamViewer, AnyDesk, Splashtop, or another tool — and another license. sobrii ships a built-in WebRTC remote-desktop module (peer-to-peer, no external relay, multi-screen, auto-reconnect). 200-device benchmark: TeamViewer Business roughly $1,020/month → sobrii: $0/month (bundled).
For a 500-device fleet, the Snipe-IT Cloud + TeamViewer Business + Lansweeper Starter stack runs roughly $150 + $1,020 + €199 = $1,400/month combined (≈$16,800/yr) — and you still do not have telemetry or carbon. The sobrii equivalent at €15/device/yr is €7,500/yr for the same 500 devices, with telemetry, remote control, and carbon included.
Sobrii is 100% bilingual FR/EN at the product core
sobrii is 100% bilingual FR/EN at the product core. Every label, every CSRD report, every export is rendered in the user's language — not a 70%-translated glossary. Reference customer: Métropole de Montpellier (3M residents, 7,000 monitored PCs, –10% CO₂, ≈€1.5M of purchases avoided). sobrii is one of the rare ITAM SaaS designed in France with FR/EN parity from v1.
Snipe-IT supports French via community-contributed locale files but is English-first throughout the documentation and admin UI. For French ESN or public-sector deployments, native bilingual depth often matters.
FAQ
How much does Snipe-IT cost in 2026
Self-hosted Snipe-IT is free under AGPLv3. Snipe-IT Cloud starts at $39.99/month for 5 users and 100 assets. Higher tiers scale by user count and asset volume — typical 200-device fleet quotes land at $100–$130/month. Verified against snipeitapp.com/pricing in May 2026.
Has Snipe-IT been hit by serious CVEs
Yes. CVE-2026-37709 (CVSS 9.8) was a critical remote code execution in versions through 8.4.0, patched in March 2026. CVE-2026-44832 enabled privilege escalation via the API in the same release window. Snipe-IT users — especially self-hosted operators — must patch on release-day cadence. Snipe-IT Cloud handles patching automatically.
Does Snipe-IT have a discovery agent
No. Snipe-IT is an asset register — you populate it by import, API, manual entry, or barcode scan. There is no network discovery, no installed-software inventory, no hardware telemetry. For automated discovery, pair Snipe-IT with Lansweeper, OCS Inventory, or migrate to a telemetry-first ITAM like sobrii.
Is Snipe-IT good enough for ISO 27001 inventory requirements
Partial. ISO/IEC 27001 Annex A.5.9 requires an inventory of information and other associated assets — Snipe-IT provides the record-keeping layer. Auditors increasingly expect evidence the inventory matches reality, which means automated reconciliation. A manual Snipe-IT install can satisfy the letter; a Snipe-IT + Lansweeper or sobrii combination satisfies the spirit.
What is the difference between Snipe-IT and GLPI
GLPI is a broader ITSM/ITAM platform with helpdesk, contract management, and the OCS Inventory agent pairing for hardware discovery. Snipe-IT is narrower — pure asset register, no ticketing, no agent. Pick GLPI when you want a French open-source full ITSM/ITAM stack. Pick Snipe-IT when asset registry is the only need and you want the simplest possible system.
What is the best Snipe-IT alternative in 2026
Depends on the gap. For asset registry plus discovery: GLPI + OCS Inventory (free, self-hosted). For asset registry plus discovery plus remote control plus measured carbon: sobrii at €12–€20/device/yr. For network-discovery-only with vulnerability correlation: Lansweeper Starter at €199/month or Pro at €359/month base.
Take action
Manage your IT fleet with sobrii
Discover how sobrii transforms IT fleet management.
Book a demoPersonalized demoOn your dataNo commitment