CVE-2026-6376 describes an unauthenticated information-disclosure issue in SpiceJet’s public booking retrieval flow. Per CISA’s advisory, a user who knows or can guess a PNR and last name may retrieve full passenger booking details without authentication or additional verification, exposing sensitive personal, travel, and booking metadata. The issue is scored CVSS 3.1 7.5 (HIGH) and is accompanied in the [truncated]
CVE-2026-6375 describes a missing-authorization flaw in SpiceJet’s online booking system. According to the CISA CSAF advisory published on 2026-04-23, an unauthenticated attacker can query passenger name records (PNRs) and obtain associated passenger names because the booking API does not enforce access controls on an endpoint intended for authenticated profile access. The advisory also notes that PNR ide [truncated]
