CVE-2025-66027

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Rallly versions prior to 4.5.6

Description Rallly is a scheduling and collaboration tool. A flaw allows unauthorized disclosure of participant details, such as names and email addresses. This occurs through the /api/trpc/polls.get,polls.participants.list API endpoint, even when Pro privacy features are enabled, bypassing intended privacy controls. The polls.participants.list endpoint is involved in the disclosure.

Recommendations Update to version 4.5.6 or later.

Exploit

Fix

Improper Access Control

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-200CWE-359

Related Identifiers

CVE-2025-66027

GHSA-65WG-8XGW-F3FG

Affected Products

Rallly

CVE-2025-66027

Weakness Enumeration

Related Identifiers

Affected Products

References · 12