Website

There exists a method in which anybody can launch group public instances for any group, even if they do not belong to that group. This was confirmed to be the case with the permission turned off for the "Everyone" role. This does not require any tooling, external programs, direct access to the API, or changes to the VRChat client. This includes groups that are closed and invite-only. The only exception to this is if the member is already banned from the group. What does this actually mean for you? Malicious instances could be opened in opposition to a group's values. For example, a group supporting those who have PTSD from war would not want a group public instance opened in a warzone map. Groups that only open moderated instances by policy could have public unmoderated instances opened on their behalf without approval. Groups representing staff or brand ambassadors could have public instances opened on their behalf without approval. I initially informed VRChat of this on 09/11/2024 via the App/Website Security Exploit Report form under ticket #441683. Per the form: "We do not guarantee a response other than the automated "ticket received" notification." And that's all I've gotten. Unfortunately, this means that I have no way of knowing if VRChat is still actively aware of this exploit, if they plan to take ownership, or when a fix is expected. Precautions you can take as group owners: Monitor your instance lists. Also monitor your audit logs in Settings -> Logs via the group page on the VRChat website. I have intentionally left out the method, but it is trivial and only a matter of time before others figure it out, if they haven't already. Staff can check the ticket provided for the method.

i can't see my avatar pages from website,it is loading forever ,i ask my friend to check it then he see the same thing too

It looks like the Stickers section in the inventory, and probably other places, don't detect that we have an active VRC+ subscription.

~30 minutes ago you posted this Help Desk article: Trust & Safety Reporting Changes There's a broken link in that article, a trailing "." in the URL. > Users may continue utilizing the Help Desk form for appeals and reports that include attached evidence, such as screenshots or video recordings. For guidance on best practices when reporting a user through the ticketing system, please review this article . https://help.vrchat.com/hc/en-us/articles/360062658553-I-want-to-report-someone. The correct URL (without the trailing period) is: https://help.vrchat.com/hc/en-us/articles/360062658553-I-want-to-report-someone [I want to report someone ; Reporting changes ]

When the word “creator” on this site is automatically translated into Japanese by the site’s built-in translation feature, it becomes garbled and appears as something like “?$#@$”. Please see the attached image for details.

There's an isolated issue with invm_95b3441b-308a-4083-bd26-e3b57dc61cf3 on my account usr_6fa4abc5-9952-4a0a-97de-b3598fbf6a5c which prevents one specific invite message (message slot 6, "Let's party!") from being updated, due to the June 8, 2025 API instability/outage incident . (Full details are available in the support ticket: #591843) ## Expected behavior on message slot 6 update (success scenario) The invite message is updated, canBeUpdated is set to "false", updatedAt date is updated, remainingCooldownMinutes is set to 60, and the API responds 200 OK. In the VRChat client, the message "Updated message text" should appear, and the message is expected to be updated. ## Alternative expected behavior on message slot 6 update (failure scenario) The API should respond with a HTTP response code 500 Internal Server error or similar, or returns an error message in the body JSON response. I don't expect the API to respond 200 OK in this scenario. ## Actual behavior on message slot 6 update (failure scenario) The invite message is not updated, canBeUpdated remains "true", updatedAt date is not updated (remains at old value "2025-06-08T01:12:29.649Z"), remainingCoolDownMinutes stays at its previous value 0, and the API responds 200 OK. In the VRChat client, the message "Updated message text" appears, and the message in the UI resets to the previous message from 2025-06-08T01:12:29.649Z (the old message received from the API). (Video: https://files.catbox.moe/co6xpw.mp4 ) --- Unofficial API reference: https://vrchat.community/openapi/get-invite-messages https://vrchat.community/openapi/update-invite-message https://vrchat.community/openapi/get-invite-message API requests and responses are attached as text files (with small redactions to personal data relating to login cookies and User-Agent identity for the public; unredacted versions are in the support ticket). Message slot 5 update ( 4 - Update message 5.txt ) is included for a demonstration of the expected PUT behavior. Message slot 6 update ( 5 - Update message 6.txt ) is included for a demonstration of the unexpected PUT behavior. 7 - Get Invite Message 6.txt contains the singular GET response from the API for message slot 6.

The VRC+ page on hello.vrchat.com ( https://hello.vrchat.com/vrchatplus ) doesn't display the VRC+ header image (as shown in the attached 1st image). For instance, the march page shows the VRC+ image (2nd image). It appears to be a CSS programming error between the active header underline and the VRC+ image, both of which use a background image (3rd image).

It seems that all of my friends are not displayed in the right column of the web page, even if I move the tab down. I have about 900 friends, but only about 250 are shown at most. There seems to be a limit to the number of friends, especially offline friends. When I delete a friend, it seems that the friends that were not displayed before are displayed, but the total number of friends displayed still seems to be about 250.

Searching by group code fails on IOS / Safari, see attachments for examples. Note that when searching with the Google app it works as expected.