CVE-2026-54105

Publié : 18 juin 2026

Modifié : 18 juin 2026

Score CVSS

5.3

MEDIUM

Description détaillée

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Références et Patchs

https://epds.gao.gov/https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.json https://www.cve.org/CVERecord?id=CVE-2026-54105 https://www.eds.cbca.gov/login

Dernières Vulnérabilités

CVE-2026-52866

An attacker within BLE communication range can monopolize the device's only available BLE connection slot, preventing legitimate users or applications from establishing a connection.

VOIR DÉTAILS

CVE-2026-50034

An attacker within BLE communication range can passively intercept wireless traffic and obtain sensitive health-related information, including glucose measurement values.

VOIR DÉTAILS

CVE-2026-40624

Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras may allow a remote, unauthenticated attacker to achieve arbitrary code execution via a specially crafted web request.

VOIR DÉTAILS