17 matches found
CVE-2026-30345
A zip slip vulnerability in the Admin import functionality of CTFd v3.8.1-18-gdb5a18c4 allows attackers to write arbitrary files outside the intended directories via supplying a crafted import...
CVE-2020-7245
Incorrect username validation in the registration process of CTFd v2.0.0 - v2.2.2 allows an attacker to take over an arbitrary account if the username is known and emails are enabled on the CTFd instance. To exploit the vulnerability, one must register with a username identical to the victim's...
EUVD-2020-28372
Malware in sbrugna...
EUVD-2025-3069
Malicious code in bioql PyPI...
EUVD-2024-34048
Malicious code in bioql PyPI...
CVE-2024-11716
While assignment of a user to a team bracket in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releas...
CVE-2024-11717
Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to...
CVE-2024-42988
Lack of access control in ChallengeSolves /api/v1/challenges//solves of CTFd v2.0.0 - v3.7.2 allows authenticated users to retrieve a list of users who have solved the challenge, regardless of the Account Visibility settings. The issue is fixed in v3.7.3+...
CVE-2025-23001
A Host header injection vulnerability exists in CTFd 3.7.5, due to the application failing to properly validate or sanitize the Host header. An attacker can manipulate the Host header in HTTP requests, which may lead to phishing attacks, reset password, or cache poisoning. NOTE: the Supplier's...
CVE-2025-23001
A Host header injection vulnerability exists in CTFd 3.7.5, due to the application failing to properly validate or sanitize the Host header. An attacker can manipulate the Host header in HTTP requests, which may lead to phishing attacks, reset password, or cache poisoning. NOTE: the Supplier's...
CVE-2025-23001
A Host header injection vulnerability exists in CTFd 3.7.5, due to the application failing to properly validate or sanitize the Host header. An attacker can manipulate the Host header in HTTP requests, which may lead to phishing attacks, reset password, or cache poisoning. NOTE: the Supplier's...
CVE-2025-23001
CVE-2025-23001 affects CTFd 3.7.5. The vulnerability is a Host header injection caused by insufficient validation/sanitization of the Host header in HTTP requests. Potential impacts include phishing, password reset manipulation, and cache poisoning as described in multiple sources. Some entries n...
CVE-2024-46242
An issue in the validateemail function in CTFd/utils/validators/init.py of CTFd 3.7.3 allows attackers to cause a Regular expression Denial of Service ReDoS via supplying a crafted string as e-mail address during registration...
CVE-2024-46242
The CVE-2024-46242 entry describes a Regular Expression Denial of Service (ReDoS) in CTFd 3.7.3 caused by the validate_email function in CTFd/utils/validators/init .py. An attacker can trigger the vulnerability by supplying a crafted string as an email address during user registration, potentiall...
CVE-2024-11716
While assignment of a user to a team bracket in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releas...
CVE-2024-11717
CTFd (CTFd project) is affected by CVE-2024-11717. Tokens used for account activation and password resets are interchangeable and are transmitted as GET parameters; tokens are not single-use and can be reused within the expiration window, enabling an on-path attacker to reset a password and take ...
CVE-2024-11716
CVE-2024-11716 (CTFd) : A logic flaw in CTFd allows an authenticated user to reset their bracket after registration and join another team while a competition is ongoing. Affected releases: 3.7.0—3.7.4. The issue was addressed in 3.7.5 via pull request 2636. Practical impact: potentially enables b...