CVE-2025-46552

KHC-INVITATION-AUTOMATION Sensitive User Information Leakage in Invitation Automation

Description

KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses without proper access controls. This allowed unauthorized users to access sensitive user information by directly calling specific endpoints. This issue has been patched in a later commit on version 1.2.

Category

6.3
CVSS
Severity: Medium
CVSS 4.0 •
EPSS 0.05%
Affected: Krypto-Hashers-Community KHC-INVITATION-AUTOMATION
Published at:
Updated at:

References

Link Tags
https://github.com/Krypto-Hashers-Community/KHC-INVITATION-AUTOMATION/security/advisories/GHSA-7mpf-6gg2-2fjp
https://github.com/Krypto-Hashers-Community/KHC-INVITATION-AUTOMATION/commit/bc908a4ef538b24d4543ae95a413be6afa308bf5

Frequently Asked Questions

What is the severity of CVE-2025-46552?
CVE-2025-46552 has been scored as a medium severity vulnerability.
How to fix CVE-2025-46552?
To fix CVE-2025-46552, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-46552 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-46552 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-46552?
CVE-2025-46552 affects Krypto-Hashers-Community KHC-INVITATION-AUTOMATION.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.