Primary

Context

Flag Forge Information Disclosure Vulnerability in User API Endpoint

Vulnerability

A vulnerability in Flag Forge versions 2.0.0 prior to 2.3.1 allows the public API endpoint /api/user/[username] to expose user email addresses in its JSON response. This disclosure of personally identifiable information (PII) violates privacy expectations and could enable user enumeration. The issue has been resolved in Flag Forge version 2.3.1, which removes email addresses from public API responses while keeping the endpoint accessible.

Impact

Exploitation of this vulnerability leads to unauthorized exposure of user email addresses, allowing for enumeration of usernames and collection of personal information.

Remediation

Users are advised to upgrade to Flag Forge version 2.3.1 or later to address this vulnerability.

Added: Sep 26, 2025, 4:17 PM

Updated: Sep 26, 2025, 4:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Flag Forge Information Disclosure Vulnerability in User API Endpoint

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating