Information Exposure Vulnerability in Viday by Viday Technologies
CVE-2025-40645

8.7HIGH

Key Information:

Vendor: Viday
Status: Viday
Vendor: CVE Published:; 2 October 2025

What is CVE-2025-40645?

The Viday application is susceptible to an information exposure vulnerability that permits unauthenticated users to exploit an insecure API endpoint. By manipulating the 'phone' parameter in an HTTP GET request directed at '/api/reserva/web/clients', attackers can retrieve sensitive customer information, raising serious concerns regarding data privacy and security for users of the platform. It is imperative for organizations using Viday to implement necessary security measures to protect against unauthorized data access.

Affected Version(s)

ViDay all versions

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 2, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Carolina Gómez Uriarte

Gema de la Fuente Romero

JSON