CTFd 3.7.5 has been released with a security fix for an issue where a user could change their own bracket after registration. Depending on how brackets are used this could affect external systems/processes that relied on the integrity of bracket assignments.
CTFd 3.7.5 also converts email confirmation and reset password tokens to be single use and not interchangeable. This mitigates the possibility of a man-in-the-middle attacker re-using a token before the 30 minute expiration.
We recommend all CTFd users update their instance to v3.7.5.
v3.7.5 has already been deployed to Hosted CTFd customers. Self-hosted users can download the latest version of CTFd from Github.