Unrated severityNVD Advisory· Published Sep 26, 2025· Updated Jan 28, 2026

FlagForgeCTF Exposes User Emails via Public /api/user/[username] API

CVE-2025-59843

Description

Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email addresses from public API responses while keeping the endpoint publicly accessible. Users should upgrade to version 2.3.2 or later to eliminate exposure. There are no workarounds for this vulnerability.

Affected products

Flagforgectf/Flagforgev5
Range: >= 2.0.0, < 2.3.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/FlagForgeCTF/flagForge/commit/1b033f1b6e20fbf6df422d5d1afc9b2347528acemitrex_refsource_MISC
github.com/FlagForgeCTF/flagForge/compare/v2.3.1...v2.3.2mitrex_refsource_MISC
github.com/FlagForgeCTF/flagForge/releases/tag/v2.3.1mitrex_refsource_MISC
github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-qqjv-8r5p-7xpjmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000