Skip to main content

Open Event Server

1 CVEs product

Monthly

CVE-2026-63101 HIGH POC Monitor

Sensitive information disclosure in FOSSASIA Open Event Server through 1.19.1 lets unauthenticated remote attackers export the full member roster of any group - email addresses, names, join dates, and roles - because the group followers CSV export endpoint carries no authentication decorator. Publicly available exploit code exists; the flaw is trivially automatable by enumerating sequential group IDs, triggering an export, and polling the unauthenticated task-status endpoint for the download URL. No public exploit has been added to CISA KEV, but the CVSS 4.0 base score of 8.7 (High) and confirmed PoC make it a credible mass-scraping risk.

Authentication Bypass Open Event Server
NVD GitHub
CVSS 4.0
8.7
CVSS 8.7
HIGH POC Monitor

Sensitive information disclosure in FOSSASIA Open Event Server through 1.19.1 lets unauthenticated remote attackers export the full member roster of any group - email addresses, names, join dates, and roles - because the group followers CSV export endpoint carries no authentication decorator. Publicly available exploit code exists; the flaw is trivially automatable by enumerating sequential group IDs, triggering an export, and polling the unauthenticated task-status endpoint for the download URL. No public exploit has been added to CISA KEV, but the CVSS 4.0 base score of 8.7 (High) and confirmed PoC make it a credible mass-scraping risk.

Authentication Bypass Open Event Server
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy