Alaeddine

13 exploits Active since Nov 2025
CVE-2026-28793 GITHUB HIGH SUSPICIOUS
TinaCMS CLI <2.1.8 - Path Traversal
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, the CLI starts a local HTTP server (default port 4001) exposing endpoints such as /media/list/*, /media/upload/*, and /media/*. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory. This vulnerability is fixed in 2.1.8.
CVSS 8.4
CVE-2026-29066 GITHUB MEDIUM WRITEUP
ssw/tinacms/cli < 2.1.8 - Unauthenticated Arbitrary File Read via Vite Dev Server Misconfiguration
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.
CVSS 6.2
CVE-2026-28792 GITHUB CRITICAL WRITEUP
ssw/tinacms/cli < 2.1.8 - Unauthenticated Path Traversal and Arbitrary File Write via CORS Misconfiguration
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.
CVSS 9.6
CVE-2025-65029 GITHUB HIGH WRITEUP
rallly < 4.5.4 - Authenticated Insecure Direct Object Reference in Participant Deletion Endpoint
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participants from polls without ownership verification. The endpoint relies solely on a participant ID to authorize deletions, enabling attackers to remove other users (including poll owners) from polls. This impacts the integrity and availability of poll participation data. This issue has been patched in version 4.5.4.
CVSS 8.1
CVE-2025-65030 GITHUB HIGH WRITEUP
rallly < 4.5.4 - Authenticated Authorization Bypass via Comment Deletion API
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the comment deletion API allows any authenticated user to delete comments belonging to other users, including poll owners and administrators. The endpoint relies solely on the comment ID for deletion and does not validate whether the requesting user owns the comment or has permission to remove it. This issue has been patched in version 4.5.4.
CVSS 7.1
CVE-2025-65031 GITHUB MEDIUM WRITEUP
rallly < 4.5.4 - Authenticated User Impersonation via Comment AuthorName Field
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones such as administrators, potentially misleading other users and enabling phishing or social engineering attacks. This issue has been patched in version 4.5.4.
CVSS 6.5
CVE-2025-65020 GITHUB MEDIUM WRITEUP
rallly < 4.5.4 - Authenticated Insecure Direct Object Reference via Poll Duplication Endpoint
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability in the poll duplication endpoint (/api/trpc/polls.duplicate) allows any authenticated user to duplicate polls they do not own by modifying the pollId parameter. This effectively bypasses access control and lets unauthorized users clone private or administrative polls. This issue has been patched in version 4.5.4.
CVSS 6.5
CVE-2025-65033 GITHUB HIGH WRITEUP
rallly < 4.5.4 - Authenticated Authorization Bypass in Poll Management
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4.
CVSS 8.1
CVE-2025-65034 GITHUB HIGH WRITEUP
rallly < 4.5.4 - Authenticated Authorization Bypass via PollId Parameter
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. This can disrupt events managed by other users and compromise both availability and integrity of poll data. This issue has been patched in version 4.5.4.
CVSS 8.1
CVE-2025-66027 GITHUB MEDIUM WRITEUP
rallly < 4.5.6 - Unauthenticated Information Disclosure via API Endpoint
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should prevent participants from viewing other users’ personal information. This issue has been patched in version 4.5.6.
CVSS 6.5
CVE-2025-65032 GITHUB MEDIUM WRITEUP
rallly < 4.5.4 - Authenticated Insecure Direct Object Reference via ParticipantId Parameter
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to change the display names of other participants in polls without being an admin or the poll owner. By manipulating the participantId parameter in a rename request, an attacker can modify another user’s name, violating data integrity and potentially causing confusion or impersonation attacks. This issue has been patched in version 4.5.4.
CVSS 6.5
CVE-2025-65021 GITHUB CRITICAL WRITEUP
rallly < 4.5.4 - Authenticated Insecure Direct Object Reference via Poll Finalization
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the request. This allows unauthorized users to finalize other users’ polls and convert them into events without proper authorization checks, potentially disrupting user workflows and causing data integrity and availability issues. This issue has been patched in version 4.5.4.
CVSS 9.1
CVE-2025-65028 GITHUB MEDIUM WRITEUP
rallly < 4.5.4 - Authenticated Insecure Direct Object Reference via ParticipantId Parameter
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to modify other participants’ votes in polls without authorization. The backend relies solely on the participantId parameter to identify which votes to update, without verifying ownership or poll permissions. This allows an attacker to alter poll results in their favor, directly compromising data integrity. This issue has been patched in version 4.5.4.
CVSS 6.5