| CVE-2026-44671 |
high |
7.5 |
7.5 |
13d ago |
ZITADEL has LDAP Filter Injection in Login Flow |
|
| CVE-2026-33132 |
unknown |
— |
— |
2mo ago |
Zitadel is missing enforcement of organization scopes in github.com/zitadel/zitadel |
|
| CVE-2026-29192 |
unknown |
— |
— |
3mo ago |
ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover in github.com/zitadel/zitadel |
|
| CVE-2026-29193 |
unknown |
— |
— |
3mo ago |
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication in github.com/zitadel/zitadel |
|
| CVE-2026-29191 |
unknown |
— |
— |
3mo ago |
ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint in github.com/zitadel/zitadel |
|
| CVE-2026-27945 |
unknown |
— |
— |
3mo ago |
ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel |
|
| CVE-2026-27946 |
unknown |
— |
— |
3mo ago |
ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API in github.com/zitadel/zitadel |
|
| CVE-2026-27840 |
unknown |
— |
— |
3mo ago |
ZITADEL's truncated opaque tokens are still valid in github.com/zitadel/zitadel |
|
| CVE-2026-23511 |
unknown |
— |
— |
4mo ago |
Zitadel has a user enumeration vulnerability in Login UIs in github.com/zitadel/zitadel |
|
| CVE-2025-67717 |
unknown |
— |
— |
6mo ago |
Zitadel Discloses the Total Number of Instance Users in github.com/zitadel/zitadel |
|
| CVE-2025-67495 |
unknown |
— |
— |
6mo ago |
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login in github.com/zitadel/zitadel |
|
| CVE-2026-29067 |
unknown |
— |
— |
6mo ago |
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login in github.com/zitadel/zitadel |
|
| CVE-2025-67494 |
unknown |
— |
— |
6mo ago |
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login in github.com/zitadel/zitadel |
|
| CVE-2025-64717 |
unknown |
— |
— |
6mo ago |
ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP in github.com/zitadel/zitadel |
|
| CVE-2025-64431 |
unknown |
— |
— |
7mo ago |
IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering in github.com/zitadel/zitadel |
|
| CVE-2025-64103 |
unknown |
— |
— |
7mo ago |
Zitadel May Bypass Second Authentication Factor in github.com/zitadel/zitadel |
|
| CVE-2025-64102 |
unknown |
— |
— |
7mo ago |
Zitadel allows brute-forcing authentication factors in github.com/zitadel/zitadel |
|
| CVE-2025-64101 |
unknown |
— |
— |
7mo ago |
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection in github.com/zitadel/zitadel |
|
| CVE-2025-48936 |
unknown |
— |
— |
1y ago |
ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection in github.com/zitadel/zitadel |
|
| CVE-2025-46815 |
unknown |
— |
— |
1y ago |
ZITADEL Allows IdP Intent Token Reuse in github.com/zitadel/zitadel |
|
| CVE-2025-27507 |
unknown |
— |
— |
1y ago |
IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations in github.com/zitadel/zitadel |
|
| CVE-2024-49757 |
unknown |
— |
— |
2y ago |
User Registration Bypass in Zitadel in github.com/zitadel/zitadel |
|
| CVE-2024-49753 |
unknown |
— |
— |
2y ago |
Denied Host Validation Bypass in Zitadel Actions in github.com/zitadel/zitadel |
|
| CVE-2024-47060 |
unknown |
— |
— |
2y ago |
ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel |
|
| CVE-2024-47000 |
unknown |
— |
— |
2y ago |
ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel |
|
| CVE-2024-46999 |
unknown |
— |
— |
2y ago |
ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel |
|
| CVE-2024-41952 |
unknown |
— |
— |
2y ago |
ZITADEL "ignoring unknown usernames" vulnerability in github.com/zitadel/zitadel |
|
| CVE-2024-41953 |
unknown |
— |
— |
2y ago |
ZITADEL has improper HTML sanitization in emails and Console UI in github.com/zitadel/zitadel |
|
| CVE-2024-39683 |
unknown |
— |
— |
2y ago |
ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel |
|
| CVE-2024-32967 |
unknown |
— |
— |
2y ago |
Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel |
|
| CVE-2024-32868 |
unknown |
— |
— |
2y ago |
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel |
|
| CVE-2024-29891 |
unknown |
— |
— |
2y ago |
ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass in github.com/zitadel/zitadel |
|
| CVE-2024-29892 |
unknown |
— |
— |
2y ago |
ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel |
|
| CVE-2024-28855 |
unknown |
— |
— |
2y ago |
XSS in github.com/zitadel/zitadel |
|
| CVE-2024-28197 |
unknown |
— |
— |
2y ago |
Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel |
|
| CVE-2023-49097 |
unknown |
— |
— |
3y ago |
ZITADEL Account Takeover via Malicious Host Header Injection |
|
| CVE-2023-47111 |
unknown |
— |
— |
3y ago |
ZITADEL race condition in lockout policy execution |
|
| CVE-2023-44399 |
unknown |
— |
— |
3y ago |
ZITADEL's password reset does not respect the "Ignoring unknown usernames" setting |
|
| CVE-2023-22492 |
unknown |
— |
— |
3y ago |
Zitadel RefreshToken invalidation vulnerability |
|
| CVE-2022-36051 |
unknown |
— |
— |
4y ago |
Broken Authorization in ZITADEL Actions |
|