CVE-2026-6375

Name: CVE-2026-6375 — Vulnerability Record
Brand: Quanteta Data Lab
SKU: CVE-2026-6375

HIGH

CVSS v4.0: 8.7 · EPSS: 0.0031 (22.6 percentile)

NetworkNo privilegesNo user interactionAuthorization Bypass (IDOR)

Source data as of: 2026-06-17 05:00:11 UTC

At a glance

Severity: HIGH
CVSS: 8.7 v4.0 · NVD
EPSS: 0.0031 (22.6 percentile) · FIRST.org
CISA KEV: No
Type: Authorization Bypass (IDOR) · NVD CWE
Attack conditions (CVSS vector): NetworkNo privilegesNo user interaction · Source: NVD Vector
Published: 2026-04-23 · Modified: 2026-06-16
References: Jump to references (1)

CVSS / EPSS / KEV

CVSS v4.0 8.7 / 10 HIGH Source: NVD

EPSS 0.0031 22.6 percentile Source: FIRST.org

CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.

Record details

CVE ID: CVE-2026-6375
CVSS (v4.0): 8.7 (HIGH)
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.0031 (22.6 percentile) — 2026-06-17
CISA KEV: No
Weakness (CWE): CWE-639
Affected configurations (CPE): 0
Published: 2026-04-23
Modified: 2026-06-16
Status: Deferred

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.

CISA https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04

← Back to all records

CVE-2026-6375

At a glance

CVSS / EPSS / KEV

Description

Record details

References

Related records

Same weakness type (CWE)

Published the same year