CVE-2025-65033HIGH 8.1EPSS p20.4%

CVE-2025-65033CVE-2025-65033

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.29% probability of exploitation · percentile 20.4% · 2026-06-19T12:03:05Z
Published2025-11-19
Last modified2025-11-24

Underlying weaknesses· 2

CWE-285CWE-639

References

  1. https://github.com/lukevella/rallly/releases/tag/v4.5.4
  2. https://github.com/lukevella/rallly/security/advisories/GHSA-4p93-v53r-vch3
  3. https://github.com/lukevella/rallly/security/advisories/GHSA-4p93-v53r-vch3

2

TypeTargetConfidenceTier
WeaknessImproper Authorizationcwe-2850%live
WeaknessAuthorization Bypass Through User-Controlled Keycwe-6390%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-65034
CVE
CVE-2025-65021
CVE
CVE-2025-65029
CVE
CVE-2025-47781
CVE
CVE-2025-24577
CVE
CVE-2025-47545
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.