CVE-2025-66573

UNKNOWN 0.0

Solstice Pod API Session Key Extraction via API Endpoint

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

24th

Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without authentication.

CWE	CWE-319
Vendor	mersive
Product	solstice pod api
Published	Dec 4, 2025
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for mersive solstice pod api

Be the first to know when new unknown vulnerabilities affecting mersive solstice pod api are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

mersive / Solstice Pod API

5.5 6.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/52104 mersive.com: https://www.mersive.com/ documentation.mersive.com: https://documentation.mersive.com/en/solstice/about-solstice.html vulncheck.com: https://www.vulncheck.com/advisories/solstice-pod-api-session-key-extraction-via-api-endpoint

Credits

The Baldwin School Ethical Hackers, The Baldwin School