CVE-2025-66027

CVSS v4.0

7.1

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Rallly versions prior to 4.5.6

Description Rallly is a scheduling and collaboration tool. A flaw allows unauthorized disclosure of participant details, such as names and email addresses. This occurs through the

/api/trpc/polls.get,polls.participants.list

API endpoint, even when Pro privacy features are enabled, bypassing intended privacy controls. The

polls.participants.list

endpoint is involved in the disclosure.

Recommendations Update to version 4.5.6 or later.

Fix

Improper Access Control

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-359CWE-200

Related Identifiers

CVE-2025-66027

Affected Products

Rallly

CVE-2025-66027

Weakness Enumeration

Related Identifiers

Affected Products

References · 7