Aggregates CVE and security vulnerability intelligence across all flagforge-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk path handling and vendor risk denial of service, with potential vendor impact file overwrite across vendor surface software deployment use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-21868 | Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume | [email protected] | 7.5 | 0.27% | 2026-01-08 | 2026-01-20 |
| CVE-2025-61777 | Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database po | [email protected] | 9.4 | 0.43% | 2025-10-06 | 2025-10-30 |
| CVE-2025-59932 | Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.1, the /api/resources endpoint previously allowed POST and DELETE requests without proper authentication or authorization. This could have enabled unauthorized users to create, modify, or delete resources on the platform. The issue has been fixed in FlagForge version 2.3.1. | [email protected] | 8.6 | 0.35% | 2025-09-27 | 2025-10-08 |
| CVE-2025-59843 | Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email addresses from public API responses while keeping the endpoint publicly accessible. Users should upgrade to version 2.3.2 or later to eliminate exposure. There are no workarounds for this vulnerability. | [email protected] | 6.9 | 0.40% | 2025-09-26 | 2026-01-29 |
| CVE-2025-59841 | Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still valid post-logout, which can allow unauthorized actions. This issue has been patched in version 2.3.1. | [email protected] | 9.8 | 0.39% | 2025-09-25 | 2025-10-08 |
| CVE-2025-59833 | Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET /api/problems/:id returns challenge hints in plaintext within the question object, regardless of whether the user has unlocked them via point deduction. Users can view all hints for free, undermining the business logic of the platform and reducing the integrity of the challenge system. This issue has been patched in version 2.3.0. | [email protected] | 7.5 | 0.32% | 2025-09-24 | 2025-10-08 |
| CVE-2025-59827 | Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, the /api/admin/assign-badge endpoint lacks proper access control, allowing any authenticated user to assign high-privilege badges (e.g., Staff) to themselves. This could lead to privilege escalation and impersonation of administrative roles. This issue has been patched in version 2.2.0. | [email protected] | 9.8 | 0.33% | 2025-09-24 | 2025-10-08 |
| CVE-2025-59826 | Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, non-admin users can create arbitrary challenges, potentially introducing malicious, incorrect, or misleading content. This issue has been patched in version 2.2.0. | [email protected] | 7.6 | 0.21% | 2025-09-23 | 2025-10-08 |