CVE-2025-65021CRITICAL 9.1EPSS p25.1%

CVE-2025-65021CVE-2025-65021

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the request. This allows unauthorized users to finalize other users’ polls and convert them into events without proper authorization checks, potentially disrupting user workflows and causing data integrity and availability issues. This issue has been patched in version 4.5.4.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS0.34% probability of exploitation · percentile 25.1% · 2026-06-18T12:00:27Z
Published2025-11-19
Last modified2025-11-25

Underlying weaknesses· 3

CWE-285CWE-639CWE-862

References

  1. https://github.com/lukevella/rallly/releases/tag/v4.5.4
  2. https://github.com/lukevella/rallly/security/advisories/GHSA-x7w2-g548-4qg8

3

TypeTargetConfidenceTier
WeaknessImproper Authorizationcwe-2850%live
WeaknessAuthorization Bypass Through User-Controlled Keycwe-6390%live
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-65029
CVE
CVE-2025-65034
CVE
CVE-2025-65033
CVE
CVE-2025-47781
CVE
CVE-2025-56392
CVE
CVE-2025-47545
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.