CVE-2025-65029HIGH 8.1EPSS p20.4%

CVE-2025-65029CVE-2025-65029

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participants from polls without ownership verification. The endpoint relies solely on a participant ID to authorize deletions, enabling attackers to remove other users (including poll owners) from polls. This impacts the integrity and availability of poll participation data. This issue has been patched in version 4.5.4.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.29% probability of exploitation · percentile 20.4% · 2026-06-19T12:03:05Z
Published2025-11-19
Last modified2025-11-25

Underlying weaknesses· 3

CWE-285CWE-639CWE-862

References

  1. https://github.com/lukevella/rallly/releases/tag/v4.5.4
  2. https://github.com/lukevella/rallly/security/advisories/GHSA-f8jc-6746-ww95

3

TypeTargetConfidenceTier
WeaknessImproper Authorizationcwe-2850%live
WeaknessAuthorization Bypass Through User-Controlled Keycwe-6390%live
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-65021
CVE
CVE-2025-65034
CVE
CVE-2025-65033
CVE
CVE-2025-47781
CVE
CVE-2026-5652
CVE
CVE-2025-56392
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.