lag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email addresses from public API responses while keeping the endpoint publicly accessible. Users should upgrade to version 2.3.2 or later to eliminate exposure. There are no workarounds for this vulnerability.
29 Jan 2026, 00:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email addresses from public API responses while keeping the endpoint publicly accessible. Users should upgrade to version 2.3.2 or later to eliminate exposure. There are no workarounds for this vulnerability. | |
| References |
|
08 Oct 2025, 16:30
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:flagforge:flagforge:*:*:*:*:*:*:*:* | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
| References | () https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-qqjv-8r5p-7xpj - Vendor Advisory | |
| First Time |
Flagforge
Flagforge flagforge |
29 Sep 2025, 19:34
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Published : 2025-09-26 16:15
Updated : 2026-01-29 00:16
NVD link : CVE-2025-59843
Mitre link : CVE-2025-59843
CVE.ORG link : CVE-2025-59843
JSON object : View
Exposure of Private Personal Information to an Unauthorized Actor