Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable API with no authentication (PR:N, AC:L); impact is read-only partial confidentiality disclosure (C:L) with no integrity or availability effect and unchanged scope.
Primary rating from Vendor (9119a7d8-5eab-497f-8521-727c672e3725).
CVSS VectorVendor: 9119a7d8-5eab-497f-8521-727c672e3725
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The Superior Court of California Hearing Reminder Service at https://www.hrs.courts.ca.gov exposes an API endpoint that returns court reminder records containing potentially sensitive information without authentication.
AnalysisAI
Unauthenticated API exposure in the Superior Court of California's Hearing Reminder Service (hrs.courts.ca.gov) permits any internet-accessible party to retrieve court reminder records containing potentially sensitive information with no credentials or preconditions. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote access, making bulk data harvesting trivial for any motivated actor. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required for exploitation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 6.9 (Medium) reflects a straightforward confidentiality-only exposure: AV:N/AC:L/AT:N/PR:N/UI:N with VC:L and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An external attacker with standard internet access identifies the unauthenticated API endpoint at hrs.courts.ca.gov through OSINT, directory enumeration, or public disclosure of the CVE. The attacker issues repeated unauthenticated HTTP requests to the endpoint, iterating over case numbers or date ranges to systematically harvest court reminder records containing names, phone numbers, email addresses, case identifiers, and upcoming hearing dates for California court participants. … |
| Remediation | The primary fix is to implement authentication and authorization controls on the affected API endpoint, ensuring that court reminder records are returned only to verified and authorized requestors - such as authenticated court staff, registered members of the public with validated sessions, or systems using API keys with appropriate scoping. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42663
GHSA-3q6q-8gwq-hrm6