CVE-2025-66027

Exploit

EPSS 0.3%
Veröffentlicht 29.11.2025 00:43:02
Zuletzt bearbeitet 03.12.2025 20:25:53
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Rallly Information Disclosure Vulnerability in Participant API Leaks Names and Emails Despite Pro Privacy Settings

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should prevent participants from viewing other users’ personal information. This issue has been patched in version 4.5.6.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rallly ≫ Rallly Version < 4.5.6

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.21

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	7.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

https://github.com/lukevella/rallly/security/advisories/GHSA-65wg-8xgw-f3fg

Vendor Advisory

Exploit

https://github.com/lukevella/rallly/commit/59738c04f9a8ec25f0af5ce20ad0eab6cf134963

Patch

https://github.com/lukevella/rallly/releases/tag/v4.5.6

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2025-66027

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66027

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66027

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-66027