Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerability in Crazy Bubble Tea mobile application
14 January 2026 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2025-14317
Publication date 14 January 2026
Vendor Emaintenance
Product Crazy Bubble Tea
Vulnerable versions All before 915 (Android) and 7.4.1 (iOS)
Vulnerability type (CWE) Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerability in Emaintenance Crazy Bubble Tea software and participated in coordination of its disclosure.

The vulnerability CVE-2025-14317: In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a loyaltyGuestId parameter. Server does not verify the permissions required to obtain the data.

This issue was fixed in version 915 (Android) and 7.4.1 (iOS).

Credits

We thank Tobiasz „Palidon” Kostrzewa for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.