{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40584", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.475Z", "datePublished": "2026-04-21T17:05:25.349Z", "dateUpdated": "2026-04-21T17:29:55.759Z"}, "containers": {"cna": {"title": "RansomLook - Improper Filtering of Private Location Entries in API Endpoints Leads to Information Exposure", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/RansomLook/RansomLook/security/advisories/GHSA-hv66-vcqc-v87c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/RansomLook/RansomLook/security/advisories/GHSA-hv66-vcqc-v87c"}, {"name": "https://vulnerability.circl.lu/vuln/gcve-1-2026-0025", "tags": ["x_refsource_MISC"], "url": "https://vulnerability.circl.lu/vuln/gcve-1-2026-0025"}], "affected": [{"vendor": "RansomLook", "product": "RansomLook", "versions": [{"version": "< 1.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:05:25.349Z"}, "descriptions": [{"lang": "en", "value": "RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries in website/web/api/genericapi.py. Because the code removes elements from a list while iterating over it, entries marked as private may be unintentionally retained in API responses, allowing unauthorized disclosure of non-public location information. This vulnerability is fixed in 1.9.0."}], "source": {"advisory": "GHSA-hv66-vcqc-v87c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T17:29:46.934804Z", "id": "CVE-2026-40584", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:29:55.759Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40584", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T17:29:46.934804Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:29:52.286Z"}}], "cna": {"title": "RansomLook - Improper Filtering of Private Location Entries in API Endpoints Leads to Information Exposure", "source": {"advisory": "GHSA-hv66-vcqc-v87c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "RansomLook", "product": "RansomLook", "versions": [{"status": "affected", "version": "< 1.9.0"}]}], "references": [{"url": "https://github.com/RansomLook/RansomLook/security/advisories/GHSA-hv66-vcqc-v87c", "name": "https://github.com/RansomLook/RansomLook/security/advisories/GHSA-hv66-vcqc-v87c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://vulnerability.circl.lu/vuln/gcve-1-2026-0025", "name": "https://vulnerability.circl.lu/vuln/gcve-1-2026-0025", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries in website/web/api/genericapi.py. Because the code removes elements from a list while iterating over it, entries marked as private may be unintentionally retained in API responses, allowing unauthorized disclosure of non-public location information. This vulnerability is fixed in 1.9.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:05:25.349Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40584", "state": "PUBLISHED", "dateUpdated": "2026-04-21T17:29:55.759Z", "dateReserved": "2026-04-14T13:24:29.475Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T17:05:25.349Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ransomlook:ransomlook:*:*:*:*:*:*:*:*", "matchCriteriaId": "29AA777D-C518-4B41-B0C6-17159D4D0DE7", "versionEndExcluding": "1.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries in website/web/api/genericapi.py. Because the code removes elements from a list while iterating over it, entries marked as private may be unintentionally retained in API responses, allowing unauthorized disclosure of non-public location information. This vulnerability is fixed in 1.9.0."}], "id": "CVE-2026-40584", "lastModified": "2026-04-27T19:47:38.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:56.240", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/RansomLook/RansomLook/security/advisories/GHSA-hv66-vcqc-v87c"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://vulnerability.circl.lu/vuln/gcve-1-2026-0025"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "RansomLook", "source": "cna", "vendor": "RansomLook"}, "product": "ransomlook", "vendor": "ransomlook"}], "analysis": {"en": {"generated_at": "2026-04-21T22:34:46.478625+00:00", "value": {"mitigation_remediation": ["Upgrade RansomLook to version\u202f1.9.0 or later to apply the vendor fix.", "If an upgrade is not immediately possible, restrict access to the web API so that only trusted users or IP addresses can request location data.", "Implement an additional filter in the API code to exclude entries marked as private before constructing the response payload."], "summary": {"action": "Upgrade", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected system is the RansomLook tool. All releases prior to version\u202f1.9.0 are impacted. The defect was corrected in version\u202f1.9.0, where the list\u2011modification logic that caused private entries to leak was removed.", "description_and_impact": "The vulnerability stems from improper filtering of private location entries in the web API. When the list is modified while iterating, elements marked as private may remain in the response, exposing non\u2011public location data. This results in an information disclosure weakness (CWE\u2011200).", "risk_and_exploitability": "With a CVSS score of 6.9, the vulnerability represents moderate severity. The exploitation vector is through the exposed API endpoints, which is inferred as a network\u2011based attack path. An attacker who can reach the API, without additional authentication, could retrieve private location data. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-04-21T22:45:16.050375+00:00", "updated": "2026-04-22T11:46:06.400741+00:00", "vendors": ["ransomlook", "ransomlook$PRODUCT$ransomlook"]}