CVE-2026-7166 PUBLISHED

Multiple vulnerabilities in the Assassin game by Gaudire

Assigner: INCIBE
Reserved: 27.04.2026 Published: 22.06.2026 Updated: 22.06.2026

Vulnerability involving the exposure of sensitive data provided without adequate protection. The API exposes email and phone number data from the ‘email’ and ‘telefon’ fields. This vulnerability is also present in the local database, as it contains accessible sensitive information such as data on minors and municipal users. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to gain access to sensitive information and data.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
CVSS Score: 9.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Gaudire
Product	Assassin game
Versions	Default: unaffected Version last version is affected

Solutions

There is no reported solution at this time.

Credits

Adrià Bonilla Martin k0x finder

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-assassin-game-gaudire

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE