GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
15 advisories
ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover
High
CVE-2026-29192
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2026
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication
High
CVE-2026-29193
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2026
ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint
Critical
CVE-2026-29191
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2026
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
High
CVE-2025-67495
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login
High
CVE-2026-29067
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
Critical
CVE-2025-67494
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
High
CVE-2025-64101
was published
for
github.com/zitadel/zitadel/v2
(Go)
Oct 29, 2025
ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection
High
CVE-2025-48936
was published
for
github.com/zitadel/zitadel
(Go)
May 28, 2025
IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations
Critical
CVE-2025-27507
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2025
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass
High
CVE-2024-32868
was published
for
github.com/zitadel/zitadel
(Go)
Apr 25, 2024
ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass
High
CVE-2024-29891
was published
for
github.com/zitadel/zitadel
(Go)
Mar 28, 2024
Account Takeover via Session Fixation in Zitadel [Bypassing MFA]
High
CVE-2024-28197
was published
for
github.com/zitadel/zitadel
(Go)
Mar 11, 2024
ZITADEL Account Takeover via Malicious Host Header Injection
High
CVE-2023-49097
was published
for
github.com/zitadel/zitadel
(Go)
Nov 29, 2023
Argo CD repo-server Denial of Service vulnerability
Moderate
CVE-2023-40584
was published
for
github.com/argoproj/argo-cd/v2
(Go)
Sep 11, 2023
SpiceDB binding metrics port to untrusted networks and can leak command-line flags
High
CVE-2023-29193
was published
for
github.com/authzed/spicedb
(Go)
Apr 13, 2023
ProTip!
Advisories are also available from the
GraphQL API