rallly — Vulnerabilities & Security Advisories 12

All 12 CVE vulnerabilities found in rallly, with AI-generated Chinese analysis, references, and POCs.

Vendor: lukevella

CVE ID	Title	CVSS	Severity	Published
CVE-2026-6493	lukevella rallly Reset Password reset-password-form.tsx cross site scripting CWE-79	3.5	Low	2026-04-17
CVE-2025-66027	Rallly Information Disclosure Vulnerability in Participant API Leaks Names and Emails Despite Pro Privacy Settings CWE-200	4.3	-	2025-11-29
CVE-2025-65034	Rallly Improper Authorization Allows Reopening of Any Finalized Poll via Public pollId CWE-639	8.1	High	2025-11-19
CVE-2025-65033	Rallly Broken Authorization: Any User Can Pause or Resume Any Poll via Poll ID Manipulation CWE-285	8.1	High	2025-11-19
CVE-2025-65032	Rallly Has an IDOR Vulnerability in Participant Rename Function Allows Unauthorized Modification of Other Users’ Names CWE-639	6.5	Medium	2025-11-19
CVE-2025-65031	Rallly Improper Authorization in Comment Endpoint Allows User Impersonation CWE-285	6.5	Medium	2025-11-19
CVE-2025-65030	Rallly Improper Authorization in Comment Deletion Endpoint Allows Unauthorized Comment Removal CWE-285	7.1	High	2025-11-19
CVE-2025-65029	Rallly Has an IDOR Vulnerability in Participant Deletion Endpoint Allows Unauthorized Removal of Poll Participants CWE-285	8.1	High	2025-11-19
CVE-2025-65021	Rallly Has Unauthorized Poll Finalization via Insecure Direct Object Reference (IDOR) CWE-285	9.1	Critical	2025-11-19
CVE-2025-65020	Rallly Has Unauthorized Poll Duplication via Insecure Direct Object Reference (IDOR) CWE-285	6.5	Medium	2025-11-19
CVE-2025-65028	Rallly Has an IDOR Vulnerability in Vote Update Endpoint Allows Unauthorized Manipulation of Participant Votes CWE-285	6.5	Medium	2025-11-19
CVE-2025-47781	Rallly Insufficient Password Login Token Entropy Leads to Account Takeover CWE-331	9.8	Critical	2025-05-14

All 12 known CVE vulnerabilities affecting rallly with full Chinese analysis, references, and POCs where available.