VYPR
advisoryPublished May 2, 2026· Updated May 17, 2026· 4 sources

CISA Issues Multiple Advisories for Critical Authentication and Data Exposure Flaws

CISA has released multiple advisories detailing critical authentication bypass and data exposure vulnerabilities affecting travel booking platforms, IP cameras, GNSS receivers, and legacy network mapping tools.

CISA has issued a series of urgent advisories detailing critical security vulnerabilities across several industrial and commercial technologies, ranging from global travel booking systems to specialized GNSS hardware. These disclosures highlight persistent challenges in authentication management and secure data handling across diverse infrastructure sectors.

The SpiceJet Online Booking System is currently affected by two high-severity vulnerabilities, CVE-2026-6375 and CVE-2026-6376, both carrying a CVSS score of 7.5. The first flaw allows unauthenticated attackers to query passenger name records (PNRs) by exploiting missing authorization checks on an API endpoint, while the second permits the retrieval of full booking metadata using only a PNR and last name. SpiceJet has not responded to CISA’s coordination requests regarding these flaws CISA.

In the commercial facilities sector, Hangzhou Xiongmai Technology’s XM530 IP cameras are vulnerable to CVE-2025-65856, a critical 9.8-rated authentication bypass. The vulnerability stems from an ONVIF implementation that fails to enforce authentication on 31 critical endpoints, granting unauthenticated remote attackers access to sensitive device information and live video streams. CISA noted the existence of a public proof-of-concept for this exploit CISA.

Critical manufacturing operations are also impacted, with the Carlson Software VASCO-B GNSS Receiver facing CVE-2026-3893, a 9.4-rated critical vulnerability. The receiver lacks necessary authentication, allowing remote attackers to modify configurations and disrupt operations. Carlson Software has released a fix, urging users to update to version 1.4.0 or higher CISA.

Finally, the NSA’s legacy GRASSMARLIN tool is affected by CVE-2026-6807, an XML external entity (XXE) vulnerability rated 5.5. Because the project reached end-of-life status in 2017, no patches or updates will be provided by the vendor CISA.

Across all advisories, CISA emphasizes the necessity of minimizing network exposure for control systems and isolating devices behind firewalls. These disclosures underscore a broader industry trend where legacy systems and improperly secured APIs continue to provide significant attack surfaces for unauthorized data access and system manipulation. Organizations are encouraged to perform impact assessments and prioritize the isolation of internet-facing assets to mitigate these risks CISA.

Synthesized by Vypr AI