Lukevella Rallly vulnerabilities
12 known vulnerabilities affecting lukevella/rallly.
Total CVEs
12
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH4MEDIUM5LOW1
Vulnerabilities
Page 1 of 1
CVE-2025-47781P2CRITICALCVSS 9.8≤ 3.11.22025-05-14
CVE-2025-47781 [CRITICAL] CWE-331 CVE-2025-47781: Rallly is an open-source scheduling and collaboration tool. Versions up to and including 3.22.1 of t
Rallly is an open-source scheduling and collaboration tool. Versions up to and including 3.22.1 of the application features token based authentication. When a user attempts to login to the application, they insert their email and a 6 digit code is sent to their email address to complete the authentication. A token that consists of 6 digits only pr
nvd
CVE-2025-65021P3CRITICALCVSS 9.1fixed in 4.5.42025-11-19
CVE-2025-65021 [CRITICAL] CWE-285 CVE-2025-65021: Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Dire
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the request. This allows unauthorized users to fi
nvd
CVE-2025-65029P3HIGHCVSS 8.1fixed in 4.5.42025-11-19
CVE-2025-65029 [HIGH] CWE-285 CVE-2025-65029: Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure dire
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participants from polls without ownership verification. The endpoint relies solely on a participant ID to authorize deletions, enabling attackers to remove other
nvd
CVE-2025-65033P3HIGHCVSS 8.1fixed in 4.5.42025-11-19
CVE-2025-65033 [HIGH] CWE-285 CVE-2025-65033: Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll
nvd
CVE-2025-65034P3HIGHCVSS 8.1fixed in 4.5.42025-11-19
CVE-2025-65034 [HIGH] CWE-639 CVE-2025-65034: Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper auth
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. This can disrupt events managed by other users and compromise both availability and integrity of poll data. Th
nvd
CVE-2025-65030P3HIGHCVSS 7.1fixed in 4.5.42025-11-19
CVE-2025-65030 [HIGH] CWE-285 CVE-2025-65030: Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the comment deletion API allows any authenticated user to delete comments belonging to other users, including poll owners and administrators. The endpoint relies solely on the comment ID for deletion and does not validate whether the requesting
nvd
CVE-2025-65031P3MEDIUMCVSS 6.5fixed in 4.5.42025-11-19
CVE-2025-65031 [MEDIUM] CWE-285 CVE-2025-65031: Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper auth
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones
nvd
CVE-2025-65028P3MEDIUMCVSS 6.5fixed in 4.5.42025-11-19
CVE-2025-65028 [MEDIUM] CWE-285 CVE-2025-65028: Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure dire
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to modify other participants’ votes in polls without authorization. The backend relies solely on the participantId parameter to identify which votes to update, without verifying ow
nvd
CVE-2025-65032P3MEDIUMCVSS 6.5fixed in 4.5.42025-11-19
CVE-2025-65032 [MEDIUM] CWE-639 CVE-2025-65032: Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Dire
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to change the display names of other participants in polls without being an admin or the poll owner. By manipulating the participantId parameter in a rename request, an attacker ca
nvd
CVE-2025-65020P3MEDIUMCVSS 6.5fixed in 4.5.42025-11-19
CVE-2025-65020 [MEDIUM] CWE-285 CVE-2025-65020: Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Dire
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability in the poll duplication endpoint (/api/trpc/polls.duplicate) allows any authenticated user to duplicate polls they do not own by modifying the pollId parameter. This effectively bypasses access control and lets
nvd
CVE-2025-66027P3MEDIUMCVSS 6.5fixed in 4.5.62025-11-29
CVE-2025-66027 [MEDIUM] CWE-200 CVE-2025-66027: Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information d
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should
nvd
CVE-2026-6493P4LOWCVSS 3.5v4.7.0v4.7.1+3 more2026-04-17
CVE-2026-6493 [LOW] CWE-79 CVE-2026-6493: A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file
A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can lead to cross site scripting. The attack can be executed remotely. The exploit
nvd