**Name of the Vulnerable Software and Affected Versions**

Flag Forge versions 2.0.0 through 2.3.0

**Description**

Flag Forge, a Capture The Flag (CTF) platform, has an issue where the public API endpoint `/api/user/[username]` returns user email addresses in its JSON response. This exposes sensitive user information. The issue is addressed in version 2.3.1, which removes email addresses from public API responses while maintaining the endpoint's public accessibility. The vulnerable parameter is `username`.

**Recommendations**

Upgrade to Flag Forge version 2.3.1 or later.