QwikSec

Security Database

CVE

CWE

Training

CVE-2025-66027

Published: Nov 29, 2025

Modified: Dec 1, 2025

PUBLISHED

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should prevent participants from viewing other users’ personal information. This issue has been patched in version 4.5.6.

Vendor	Product	Versions
lukevella	rallly	affected `< 4.5.6`

Weaknesses (CWE)

References

https://github.com/lukevella/rallly/security/advisories/GHSA-65wg-8xgw-f3fg

x_refsource_CONFIRM

https://github.com/lukevella/rallly/commit/59738c04f9a8ec25f0af5ce20ad0eab6cf134963

x_refsource_MISC

https://github.com/lukevella/rallly/releases/tag/v4.5.6

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.