GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
41 advisories
Filter by severity
ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider
Moderate
CVE-2026-55669
was published
for
github.com/zitadel/zitadel
(Go)
Jun 18, 2026
ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider
Moderate
GHSA-wxg7-w2v3-w38g
was published
for
github.com/zitadel/zitadel
(Go)
Jun 18, 2026
ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)
High
CVE-2026-55672
was published
for
github.com/zitadel/zitadel
(Go)
Jun 18, 2026
ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers
Low
CVE-2026-55670
was published
for
github.com/zitadel/zitadel
(Go)
Jun 18, 2026
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components
Low
CVE-2026-55671
was published
for
github.com/zitadel/zitadel
(Go)
Jun 18, 2026
ZITADEL has LDAP Filter Injection in Login Flow
High
CVE-2026-44671
was published
for
github.com/zitadel/zitadel
(Go)
May 8, 2026
Zitadel is missing enforcement of organization scopes
Moderate
CVE-2026-33132
was published
for
github.com/zitadel/zitadel
(Go)
Mar 18, 2026
ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover
High
CVE-2026-29192
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2026
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication
High
CVE-2026-29193
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2026
ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint
Critical
CVE-2026-29191
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2026
ZITADEL has potential SSRF via Actions
Low
CVE-2026-27945
was published
for
github.com/zitadel/zitadel/v2
(Go)
Feb 27, 2026
ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API
High
CVE-2026-27946
was published
for
github.com/zitadel/zitadel
(Go)
Feb 27, 2026
ZITADEL's truncated opaque tokens are still valid
Moderate
CVE-2026-27840
was published
for
github.com/zitadel/zitadel
(Go)
Feb 27, 2026
Zitadel has a user enumeration vulnerability in Login UIs
Moderate
CVE-2026-23511
was published
for
github.com/zitadel/zitadel
(Go)
Jan 15, 2026
Zitadel Discloses the Total Number of Instance Users
Moderate
CVE-2025-67717
was published
for
github.com/zitadel/zitadel
(Go)
Dec 10, 2025
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
High
CVE-2025-67495
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login
High
CVE-2026-29067
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
Critical
CVE-2025-67494
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP
High
CVE-2025-64717
was published
for
github.com/zitadel/zitadel
(Go)
Nov 14, 2025
IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering
High
CVE-2025-64431
was published
for
github.com/zitadel/zitadel
(Go)
Nov 5, 2025
Zitadel May Bypass Second Authentication Factor
High
CVE-2025-64103
was published
for
github.com/zitadel/zitadel
(Go)
Oct 29, 2025
Zitadel allows brute-forcing authentication factors
High
CVE-2025-64102
was published
for
github.com/zitadel/zitadel
(Go)
Oct 29, 2025
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
High
CVE-2025-64101
was published
for
github.com/zitadel/zitadel/v2
(Go)
Oct 29, 2025
ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection
High
CVE-2025-48936
was published
for
github.com/zitadel/zitadel
(Go)
May 28, 2025
ZITADEL Allows IdP Intent Token Reuse
High
CVE-2025-46815
was published
for
github.com/zitadel/zitadel
(Go)
May 6, 2025
ProTip!
Advisories are also available from the
GraphQL API