CVE-2025-14317

EUVD-2026-2510
In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions required to obtain the data.


This issue was fixed in version 915 (Android) and 7.4.1 (iOS).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Common Weakness Enumeration
References
https://cert.pl/posts/2026/01/CVE-2025-14317
https://crazybubble.pl/aplikacja-crazy-bubble/