Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email addresses from public API responses while keeping the endpoint publicly accessible. Users should upgrade to version 2.3.2 or later to eliminate exposure. There are no workarounds for this vulnerability.
References
Configurations
History
29 Jan 2026, 00:16
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
|
| Summary | (en) Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email addresses from public API responses while keeping the endpoint publicly accessible. Users should upgrade to version 2.3.2 or later to eliminate exposure. There are no workarounds for this vulnerability. |
08 Oct 2025, 16:30
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:flagforge:flagforge:*:*:*:*:*:*:*:* | |
| First Time |
Flagforge
Flagforge flagforge |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
| References | () https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-qqjv-8r5p-7xpj - Vendor Advisory |
26 Sep 2025, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-09-26 16:15
Updated : 2026-01-29 00:16
NVD link : CVE-2025-59843
Mitre link : CVE-2025-59843
CVE.ORG link : CVE-2025-59843
JSON object : View
Products Affected
flagforge
- flagforge
CWE
CWE-359
Exposure of Private Personal Information to an Unauthorized Actor