CVE-2025-24899

Name of the Vulnerable Software and Affected Versions: reNgine versions prior to 2.2.0

Description: A vulnerability was discovered in reNgine, where an insider attacker with any role can extract sensitive information from other reNgine users. After running a scan and obtaining vulnerabilities from a target, the attacker can retrieve details such as username, password, email, role, first name, last name, status, and activity information by making a GET request to "/api/listVulnerability/".

Recommendations: For versions prior to 2.2.0, update to version 2.2.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/api/listVulnerability/" endpoint until the update is applied. Avoid using sensitive information in the affected API endpoint until the issue is resolved.