An issue in hackathon-starter v.8.1.0 allows a remote attacker to escalate privileges via the user.js component.
https://github.com/sahat/hackathon-starter/pull/1328
https://github.com/sahat/hackathon-starter/issues/1326
https://github.com/HypeDuke/vulnerable-research/blob/main/CVE-2025-29036