The vulnerability stems from the use of the 'snapshot diff' functions in qSnapper, which lack proper authentication controls. As a result, a local user can invoke these functions and gain access to information that should be protected. This flaw corresponds to CWE-306, Missing Authentication, and permits data disclosure across the application's protected data stores.

Affected are installations of presire's qSnapper before the public release of version 1.3.3. Users running any earlier release of the snap creation tool are exposed to the described information leak. The flaw exists in the component that calculates differences between snapshots, and the missing authentication check applies to all local instances of the tool.

The CVSS score of 6.9 categorizes the vulnerability as a medium severity issue. No EPSS score is available, and the vulnerability is not listed in CISA's KEV catalog, indicating limited publicly available exploit tooling. Nevertheless, because the weakness is exploitable locally, an attacker with user or root privileges on the same host can read sensitive data once the diff functions are called, with no remote attack surface inferred from the description.