{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T20:09:37.167","vulnerabilities":[{"cve":{"id":"CVE-2025-43916","sourceIdentifier":"cve@mitre.org","published":"2025-04-21T14:15:36.593","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[{"sourceIdentifier":"cve@mitre.org","tags":["exclusively-hosted-service"]}],"descriptions":[{"lang":"en","value":"Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have further implications in conjunction with \"Decompiling the app revealed a hardcoded secret.\""},{"lang":"es","value":"Sonos api.sonos.com hasta el 21/04/2025, al usar el punto de acceso /login/v3/oauth, acepta un redirect_uri que contiene información de usuario en el componente de autoridad, lo cual no es coherente con la sección 5.2.3.5 de la RFC 6819. Es posible que se envíe un código de autorización a un destino controlado por el atacante. Esto podría tener implicaciones adicionales en relación con el caso \"La descompilación de la aplicación reveló un secreto codificado\"."}],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N","baseScore":3.4,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":1.4}]},"weaknesses":[{"source":"cve@mitre.org","type":"Secondary","description":[{"lang":"en","value":"CWE-647"}]}],"references":[{"url":"https://github.com/larlarua/vulnerability-reports/blob/main/CVE-2025-43916/detail.md","source":"cve@mitre.org"}]}}]}