Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,092
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,414
Swift
61
Unreviewed advisories
All unreviewed
5,000+

12 advisories

Loading
ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider Moderate
CVE-2026-55669 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
Android-Login-Analysis Credited to Android-Login-Analysis, IAM-marco, livio-a, and Punisher100 IAM-marco IAM-marco
livio-a livio-a Punisher100 Punisher100
ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider Moderate
GHSA-wxg7-w2v3-w38g was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
Android-Login-Analysis Credited to Android-Login-Analysis, livio-a, and IAM-marco livio-a livio-a
IAM-marco IAM-marco
ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation) High
CVE-2026-55672 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
kodareef5 Credited to kodareef5, grvijayan, IAM-marco, livio-a, cipher-creator, and N008x grvijayan grvijayan
IAM-marco IAM-marco livio-a livio-a cipher-creator cipher-creator N008x N008x
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components Low
CVE-2026-55671 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
wooseokdotkim Credited to wooseokdotkim, IAM-marco, livio-a, 0xBassia, alanturing881, dungNHVhust, sondt99, DavidCarliez, tikket1, Wernerina, morimori-dev, and vamsik2k5 IAM-marco IAM-marco
livio-a livio-a 0xBassia 0xBassia alanturing881 alanturing881 dungNHVhust dungNHVhust sondt99 sondt99 DavidCarliez DavidCarliez tikket1 tikket1 Wernerina Wernerina morimori-dev morimori-dev vamsik2k5 vamsik2k5
ZITADEL has potential SSRF via Actions Low
CVE-2026-27945 was published for github.com/zitadel/zitadel/v2 (Go) Feb 27, 2026
IAM-marco Credited to IAM-marco and livio-a livio-a livio-a
ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API High
CVE-2026-27946 was published for github.com/zitadel/zitadel (Go) Feb 27, 2026
livio-a Credited to livio-a, IAM-marco, and MhdAsfan IAM-marco IAM-marco
MhdAsfan MhdAsfan
Zitadel has a user enumeration vulnerability in Login UIs Moderate
CVE-2026-23511 was published for github.com/zitadel/zitadel (Go) Jan 15, 2026
IAM-marco Credited to IAM-marco, livio-a, and mntns livio-a livio-a
mntns mntns
Zitadel Discloses the Total Number of Instance Users Moderate
CVE-2025-67717 was published for github.com/zitadel/zitadel (Go) Dec 10, 2025
IAM-marco Credited to IAM-marco and livio-a livio-a livio-a
ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP High
CVE-2025-64717 was published for github.com/zitadel/zitadel (Go) Nov 14, 2025
livio-a Credited to livio-a, IAM-marco, and Jank1310 IAM-marco IAM-marco
Jank1310 Jank1310
Zitadel May Bypass Second Authentication Factor High
CVE-2025-64103 was published for github.com/zitadel/zitadel (Go) Oct 29, 2025
livio-a Credited to livio-a, IAM-marco, and mffap IAM-marco IAM-marco
mffap mffap
Zitadel allows brute-forcing authentication factors High
CVE-2025-64102 was published for github.com/zitadel/zitadel (Go) Oct 29, 2025
livio-a Credited to livio-a, IAM-marco, and evilgensec IAM-marco IAM-marco
evilgensec evilgensec
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection High
CVE-2025-64101 was published for github.com/zitadel/zitadel/v2 (Go) Oct 29, 2025
amit-laish Credited to amit-laish, livio-a, and IAM-marco livio-a livio-a
IAM-marco IAM-marco
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database