VYPR

Flagforge

by Flagforgectf

Source repositories

CVEs (8)

  • CVE-2026-21868Jan 8, 2026
    risk 0.00cvss epss 0.00

    Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user…

  • CVE-2025-61777Oct 6, 2025
    risk 0.00cvss epss 0.00

    Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could…

  • CVE-2025-59932Sep 27, 2025
    risk 0.00cvss epss 0.00

    Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.1, the /api/resources endpoint previously allowed POST and DELETE requests without proper authentication or authorization. This could have enabled unauthorized users to create, modify, or delete…

  • CVE-2025-59843Sep 26, 2025
    risk 0.00cvss epss 0.00

    Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email…

  • CVE-2025-59841Sep 25, 2025
    risk 0.00cvss epss 0.00

    Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF…

  • CVE-2025-59833Sep 24, 2025
    risk 0.00cvss epss 0.00

    Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET /api/problems/:id returns challenge hints in plaintext within the question object, regardless of whether the user has unlocked them via point deduction. Users can view…

  • CVE-2025-59827Sep 24, 2025
    risk 0.00cvss epss 0.00

    Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, the /api/admin/assign-badge endpoint lacks proper access control, allowing any authenticated user to assign high-privilege badges (e.g., Staff) to themselves. This could lead to privilege escalation and…

  • CVE-2025-59826Sep 23, 2025
    risk 0.00cvss epss 0.00

    Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, non-admin users can create arbitrary challenges, potentially introducing malicious, incorrect, or misleading content. This issue has been patched in version 2.2.0.