top of page
perceptive_background_267k.jpg

SpiceJet Online Booking System

Published:

23 April 2026 at 12:00:00

Alert date:

23 April 2026 at 17:04:31

Source:

cisa.gov

Click to open the original link from this advisory

Web Technologies, Critical Infrastructure, Identity & Access, Data Breach & Exfiltration

SpiceJet's online booking system contains two high-severity vulnerabilities that allow unauthorized access to passenger data. CVE-2026-6375 enables unauthenticated users to query passenger name records (PNRs) through predictable identifiers due to missing authorization checks. CVE-2026-6376 allows access to full passenger booking details using only PNR and last name without authentication. Both vulnerabilities affect all versions of the SpiceJet Online Booking System and could lead to sensitive information disclosure. SpiceJet has not responded to CISA's coordination attempts, leaving the vulnerabilities unpatched.

Technical details

Mitigation steps:

Affected products:

SpiceJet Online Booking System

Related links:

https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-04
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-04.json
https://www.cve.org/CVERecord?id=CVE-2026-6375
https://www.cve.org/CVERecord?id=CVE-2026-6376
https://corporate.spicejet.com/contactus.aspx
https://cwe.mitre.org/data/definitions/639.html
https://cwe.mitre.org/data/definitions/306.html
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page