Skip to main content

Assassin Game

3 CVEs product

Monthly

CVE-2026-7167 MEDIUM This Month

Email validation bypass in Gaudire's Assassin Game permits registration with arbitrary or non-existent email addresses, enabling automated mass account creation without real mailbox ownership verification. The CVSS 4.0 vector (PR:N, AV:N) indicates no prior authentication is required to trigger the flaw, though the description's contradictory reference to an 'authenticated attacker' has not been resolved by the vendor and warrants clarification before deploying mitigations. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact is confined to service integrity abuse - spam distribution, rate-limit evasion, and fraudulent account accumulation.

Information Disclosure Assassin Game
NVD
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-7166 CRITICAL Act Now

Sensitive information disclosure in Gaudire's Assassin Game application allows unauthenticated remote attackers to retrieve personally identifiable information (PII) - including email addresses and phone numbers - through the application's API. The exposure also extends to the local database, which holds data on minors and municipal users, significantly elevating privacy and regulatory risk. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 and CWE-200 classification mark this as a high-priority data exposure issue.

Information Disclosure Assassin Game
NVD
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-7165 CRITICAL Act Now

Multiple chained vulnerabilities in Gaudire's Assassin Game platform allow an authenticated low-privileged player to tamper with other users' accounts, escalate to administrator, defraud city-council-awarded prizes, trigger denial-of-service, and perform server-side request forgery via the /addJugador endpoint. With CVSS 4.0 base score 9.4 (Critical) and scope-changing impact across confidentiality, integrity, and availability, the flaws stem from systemic input validation failures (CWE-20). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Assassin Game
NVD
CVSS 4.0
9.4
EPSS
0.3%
EPSS 0% CVSS 6.9
MEDIUM This Month

Email validation bypass in Gaudire's Assassin Game permits registration with arbitrary or non-existent email addresses, enabling automated mass account creation without real mailbox ownership verification. The CVSS 4.0 vector (PR:N, AV:N) indicates no prior authentication is required to trigger the flaw, though the description's contradictory reference to an 'authenticated attacker' has not been resolved by the vendor and warrants clarification before deploying mitigations. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact is confined to service integrity abuse - spam distribution, rate-limit evasion, and fraudulent account accumulation.

Information Disclosure Assassin Game
NVD
EPSS 0% CVSS 9.2
CRITICAL Act Now

Sensitive information disclosure in Gaudire's Assassin Game application allows unauthenticated remote attackers to retrieve personally identifiable information (PII) - including email addresses and phone numbers - through the application's API. The exposure also extends to the local database, which holds data on minors and municipal users, significantly elevating privacy and regulatory risk. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 and CWE-200 classification mark this as a high-priority data exposure issue.

Information Disclosure Assassin Game
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Multiple chained vulnerabilities in Gaudire's Assassin Game platform allow an authenticated low-privileged player to tamper with other users' accounts, escalate to administrator, defraud city-council-awarded prizes, trigger denial-of-service, and perform server-side request forgery via the /addJugador endpoint. With CVSS 4.0 base score 9.4 (Critical) and scope-changing impact across confidentiality, integrity, and availability, the flaws stem from systemic input validation failures (CWE-20). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Assassin Game
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy