5 matches found
EUVD-2026-25299
A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records PNRs without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw...
CVE-2026-6375
A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records PNRs without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw...
PT-2026-34749
Name of the Vulnerable Software and Affected Versions SpiceJet booking API affected versions not specified Description A flaw in the booking API allows unauthenticated users to query passenger name records PNRs due to a lack of access controls. Since PNR identifiers follow a predictable pattern, ...
CVE-2025-53373
Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b...
CVE-2025-53373 Natours has a 1 Click Account take over on reset password via Host Header injection
Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b...