Description
## Summary:
[directory listing vulnerability is disclosing names and emails and so many other sensitive information, that significantly increases the severity because these are considered as PII (Personally Identifiable Information). Thousands of records, publicly accessible without auth also can be referred as sensitive user base. It has very high impact on Confidentiality as (names and emails are being disclosed).]
[Do **not** use an AI to generate the report]
## Affected version
[https://curl.se/dev/inbox/]
## Steps To Reproduce:
[add details for how we can reproduce the issue]
1. [Navigate to the the normal URL : https://curl.se/]
2. [Now try to access a directory /dev/inbox and the modified URL will become https://curl.se/dev/inbox]
3. [You will see all the directories that are listed on the page and also accessible publicly without any authentication.]
## Supporting Material/References:
[list any additional material (e.g. screenshots, logs, etc.)]
* [attachment / reference]
## Impact
## Summary:
Usernames and emails are being disclosed to unauthorized parties. This is direct exposure of PII and Attackers gain information they shouldn't have access to. It has High impact on Confidentiality as it's widespread (thousands of records, publicly accessible without auth, sensitive user base).
[directory listing vulnerability is disclosing names and emails and so many other sensitive information, that significantly increases the severity because these are considered as PII (Personally Identifiable Information). Thousands of records, publicly accessible without auth also can be referred as sensitive user base. It has very high impact on Confidentiality as (names and emails are being disclosed).]
[Do **not** use an AI to generate the report]
## Affected version
[https://curl.se/dev/inbox/]
## Steps To Reproduce:
[add details for how we can reproduce the issue]
1. [Navigate to the the normal URL : https://curl.se/]
2. [Now try to access a directory /dev/inbox and the modified URL will become https://curl.se/dev/inbox]
3. [You will see all the directories that are listed on the page and also accessible publicly without any authentication.]
## Supporting Material/References:
[list any additional material (e.g. screenshots, logs, etc.)]
* [attachment / reference]
## Impact
## Summary:
Usernames and emails are being disclosed to unauthorized parties. This is direct exposure of PII and Attackers gain information they shouldn't have access to. It has High impact on Confidentiality as it's widespread (thousands of records, publicly accessible without auth, sensitive user base).
Basic Information
ID
H1:3509437
Published
Jan 13, 2026 at 21:02
Modified
Jan 14, 2026 at 09:32