{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6492", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-17T07:24:13.202Z", "datePublished": "2026-04-17T14:00:15.221Z", "dateUpdated": "2026-04-17T14:32:34.042Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-17T14:00:15.221Z"}, "title": "arnobt78 Hotel Booking Management System Health Check Endpoint detailed information disclosure", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "Information Disclosure"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "Improper Access Controls"}]}], "affected": [{"vendor": "arnobt78", "product": "Hotel Booking Management System", "versions": [{"version": "f8922d0e0f6ac1cc761974c7616f44c2bbc04bea", "status": "affected"}], "modules": ["Health Check Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in arnobt78 Hotel Booking Management System up to f8922d0e0f6ac1cc761974c7616f44c2bbc04bea. The impacted element is an unknown function of the file /api/health/detailed of the component Health Check Endpoint. Performing a manipulation results in information disclosure. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR"}}], "timeline": [{"time": "2026-04-17T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-17T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-17T09:29:17.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "sudosme (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358036", "name": "VDB-358036 | arnobt78 Hotel Booking Management System Health Check Endpoint detailed information disclosure", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/358036/cti", "name": "VDB-358036 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/787242", "name": "Submit #787242 | arnobt78 Hotel Booking Management System 1 Information Disclosure", "tags": ["third-party-advisory"]}, {"url": "https://github.com/sudo-secure/security-research/blob/main/Hotel-Booking-Management-System/sensitive-information-disclosure/PoC.md", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T14:32:28.178190Z", "id": "CVE-2026-6492", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T14:32:34.042Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6492", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-17T14:32:28.178190Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T14:32:30.632Z"}}], "cna": {"title": "arnobt78 Hotel Booking Management System Health Check Endpoint detailed information disclosure", "credits": [{"lang": "en", "type": "reporter", "value": "sudosme (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR"}}], "affected": [{"vendor": "arnobt78", "modules": ["Health Check Endpoint"], "product": "Hotel Booking Management System", "versions": [{"status": "affected", "version": "f8922d0e0f6ac1cc761974c7616f44c2bbc04bea"}]}], "timeline": [{"lang": "en", "time": "2026-04-17T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-17T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-17T09:29:17.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/358036", "name": "VDB-358036 | arnobt78 Hotel Booking Management System Health Check Endpoint detailed information disclosure", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/358036/cti", "name": "VDB-358036 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/787242", "name": "Submit #787242 | arnobt78 Hotel Booking Management System 1 Information Disclosure", "tags": ["third-party-advisory"]}, {"url": "https://github.com/sudo-secure/security-research/blob/main/Hotel-Booking-Management-System/sensitive-information-disclosure/PoC.md", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in arnobt78 Hotel Booking Management System up to f8922d0e0f6ac1cc761974c7616f44c2bbc04bea. The impacted element is an unknown function of the file /api/health/detailed of the component Health Check Endpoint. Performing a manipulation results in information disclosure. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "Information Disclosure"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "Improper Access Controls"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-17T14:00:15.221Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6492", "state": "PUBLISHED", "dateUpdated": "2026-04-17T14:32:34.042Z", "dateReserved": "2026-04-17T07:24:13.202Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-17T14:00:15.221Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in arnobt78 Hotel Booking Management System up to f8922d0e0f6ac1cc761974c7616f44c2bbc04bea. The impacted element is an unknown function of the file /api/health/detailed of the component Health Check Endpoint. Performing a manipulation results in information disclosure. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6492", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-17T14:16:35.380", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/sudo-secure/security-research/blob/main/Hotel-Booking-Management-System/sensitive-information-disclosure/PoC.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/787242"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358036"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358036/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "f8922d0e0f6ac1cc761974c7616f44c2bbc04bea"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "hotel_booking_management_system", "vendor": "arnobt78"}], "analysis": {"en": {"generated_at": "2026-04-18T09:17:23.604734+00:00", "value": {"mitigation_remediation": ["Verify if a newer release that fixes the health check disclosure is available and apply it immediately.", "If no fix is available, restrict access to the /api/health/detailed endpoint using authentication, firewall rules, or IP whitelisting to limit exposure.", "Disable the Health Check Endpoint if it is not essential for operational monitoring.", "Monitor network traffic and application logs for abnormal calls to the exposed endpoint.", "Segment the network to isolate the application tier from externally reachable components."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is arnobt78 Hotel Booking Management System. Versioning follows a rolling release model, and the exact versions affected are not enumerated. The vulnerability was found in functionality prior to the commit f8922d0e0f6ac1cc761974c7616f44c2bbc04bea.", "description_and_impact": "The vulnerability resides in an undisclosed function within the file /api/health/detailed of the Health Check Endpoint, allowing an attacker to receive sensitive system information. The weakness, identified as information disclosure, permits an attacker to learn details that could aid further intrusion. This flaw operates with remote exploitation capabilities, meaning a threat actor can trigger it from outside the network without additional footholds.", "risk_and_exploitability": "The severity is scored as 6.9 on the CVSS scale, indicating a moderate to high risk. The EPSS score is not available, so the current likelihood of exploitation cannot be quantified, but the vulnerability is publicly documented and does not appear in the CISA KEV catalog. Based on the description, the likely attack vector is remote, and exploitation requires only that the actor can send a request to the /api/health/detailed endpoint, which may be unauthenticated or protected by weak access controls."}}}}, "created": "2026-04-17T20:40:09.875029+00:00", "updated": "2026-04-18T09:30:25.677897+00:00", "vendors": ["arnobt78", "arnobt78$PRODUCT$hotel_booking_management_system"]}