VYPR
Unrated severityNVD Advisory· Published Sep 26, 2025· Updated Jan 28, 2026

FlagForgeCTF Exposes User Emails via Public /api/user/[username] API

CVE-2025-59843

Description

Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email addresses from public API responses while keeping the endpoint publicly accessible. Users should upgrade to version 2.3.2 or later to eliminate exposure. There are no workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Flagforgectf/Flagforgellm-fuzzy2 versions
    >=2.0.0, <2.3.2+ 1 more
    • (no CPE)range: >=2.0.0, <2.3.2
    • (no CPE)range: >= 2.0.0, < 2.3.2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.