CVE-2025-65020
MEDIUMRallly < 4.5.4 - Missing Authorization
Title source: ruleDescription
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability in the poll duplication endpoint (/api/trpc/polls.duplicate) allows any authenticated user to duplicate polls they do not own by modifying the pollId parameter. This effectively bypasses access control and lets unauthorized users clone private or administrative polls. This issue has been patched in version 4.5.4.
Exploits (1)
github
WRITEUP
by alaeddine03 · poc
https://github.com/alaeddine03/CVE-Disclosures/tree/main/Rallly/CVE-2025-65020
Scores
CVSS v3
6.5
EPSS
0.0004
EPSS Percentile
13.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-639
CWE-862
CWE-285
Status
published
Products (1)
rallly/rallly
< 4.5.4
Published
Nov 19, 2025
Tracked Since
Feb 18, 2026