Information Disclosure Vulnerability in Viday by Incibe
CVE-2025-40646

5.9MEDIUM

Key Information:

Vendor: Viday
Status: Viday
Vendor: CVE Published:; 2 October 2025

What is CVE-2025-40646?

The Viday application has a vulnerability that allows attackers to intercept HTTP requests, potentially exposing sensitive information contained in JSON Web Tokens (JWT). By leveraging this flaw, unauthorized individuals may gain access to customer data, which poses significant privacy and security risks. Organizations using Viday must implement precautionary measures to secure their applications and protect user data from unauthorized access.

Affected Version(s)

ViDay all versions

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 2, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Carolina Gómez Uriarte

Gema de la Fuente Romero

JSON