VYPR
Vendor

Lukevella

Products
1
CVEs
12
Across products
12
Status
Private

Products

1

Recent CVEs

12
  • CVE-2026-6493LowApr 17, 2026
    risk 0.16cvss 3.5epss 0.00

    A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can…

  • CVE-2025-66027Nov 29, 2025
    risk 0.00cvss epss 0.00

    Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy…

  • CVE-2025-65034Nov 19, 2025
    risk 0.00cvss epss 0.00

    Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. This can disrupt events managed by…

  • CVE-2025-65033Nov 19, 2025
    risk 0.00cvss epss 0.00

    Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls,…

  • CVE-2025-65032Nov 19, 2025
    risk 0.00cvss epss 0.00

    Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to change the display names of other participants in polls without being an admin or the poll owner. By…

  • CVE-2025-65031Nov 19, 2025
    risk 0.00cvss epss 0.00

    Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables…

  • CVE-2025-65030Nov 19, 2025
    risk 0.00cvss epss 0.00

    Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the comment deletion API allows any authenticated user to delete comments belonging to other users, including poll owners and administrators. The endpoint relies solely…

  • CVE-2025-65029Nov 19, 2025
    risk 0.00cvss epss 0.00

    Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participants from polls without ownership verification. The endpoint relies solely on a…

  • CVE-2025-65021Nov 19, 2025
    risk 0.00cvss epss 0.00

    Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by manipulating the…

  • CVE-2025-65020Nov 19, 2025
    risk 0.00cvss epss 0.00

    Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability in the poll duplication endpoint (/api/trpc/polls.duplicate) allows any authenticated user to duplicate polls they do not own by modifying…

  • CVE-2025-65028Nov 19, 2025
    risk 0.00cvss epss 0.00

    Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to modify other participants’ votes in polls without authorization. The backend relies solely on the…

  • CVE-2025-47781May 14, 2025
    risk 0.00cvss epss 0.01

    Rallly is an open-source scheduling and collaboration tool. Versions up to and including 3.22.1 of the application features token based authentication. When a user attempts to login to the application, they insert their email and a 6 digit code is sent to their email address to…