Vulnerability Description
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should prevent participants from viewing other users’ personal information. This issue has been patched in version 4.5.6.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rallly | Rallly | < 4.5.6 |
Related Weaknesses (CWE)
References
- https://github.com/lukevella/rallly/commit/59738c04f9a8ec25f0af5ce20ad0eab6cf134Patch
- https://github.com/lukevella/rallly/releases/tag/v4.5.6Release Notes
- https://github.com/lukevella/rallly/security/advisories/GHSA-65wg-8xgw-f3fgExploitVendor Advisory
- https://github.com/lukevella/rallly/security/advisories/GHSA-65wg-8xgw-f3fgExploitVendor Advisory
FAQ
What is CVE-2025-66027?
CVE-2025-66027 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the...
How severe is CVE-2025-66027?
CVE-2025-66027 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66027?
Check the references section above for vendor advisories and patch information. Affected products include: Rallly Rallly.