Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,946
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

35 advisories

Loading
ZITADEL's password reset does not respect the "Ignoring unknown usernames" setting Moderate
CVE-2023-44399 was published for github.com/zitadel/zitadel (Go) Oct 10, 2023
hoseph Credited to hoseph, livio-a, fforootd, and adlerhurst livio-a livio-a
fforootd fforootd adlerhurst adlerhurst
ZITADEL race condition in lockout policy execution High
CVE-2023-47111 was published for github.com/zitadel/zitadel (Go) Nov 8, 2023
itz-d0dgy Credited to itz-d0dgy and livio-a livio-a livio-a
ZITADEL Account Takeover via Malicious Host Header Injection High
CVE-2023-49097 was published for github.com/zitadel/zitadel (Go) Nov 29, 2023
eliobischof Credited to eliobischof, livio-a, and amit-laish livio-a livio-a
amit-laish amit-laish
ZITADEL's actions can overload reserved claims High
CVE-2024-29892 was published for github.com/zitadel/zitadel (Go) Mar 28, 2024
schettn Credited to schettn, fforootd, adlerhurst, and livio-a fforootd fforootd
adlerhurst adlerhurst livio-a livio-a
ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass High
CVE-2024-29891 was published for github.com/zitadel/zitadel (Go) Mar 28, 2024
amit-laish Credited to amit-laish, fforootd, livio-a, and adlerhurst fforootd fforootd
livio-a livio-a adlerhurst adlerhurst
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass High
CVE-2024-32868 was published for github.com/zitadel/zitadel (Go) Apr 25, 2024
livio-a Credited to livio-a, Skelmis, itz-d0dgy, amit-laish, muhlemmer, and peintnermax Skelmis Skelmis
itz-d0dgy itz-d0dgy amit-laish amit-laish muhlemmer muhlemmer peintnermax peintnermax
Zitadel exposing internal database user name and host information Moderate
CVE-2024-32967 was published for github.com/zitadel/zitadel (Go) May 1, 2024
stiwari99 Credited to stiwari99, fforootd, and livio-a fforootd fforootd
livio-a livio-a
ZITADEL Vulnerable to Session Information Leakage Moderate
CVE-2024-39683 was published for github.com/zitadel/zitadel (Go) Jul 5, 2024
cybertransformer Credited to cybertransformer, livio-a, fforootd, Avolicious, AmirhoseinBrz, and srividyaj livio-a livio-a
fforootd fforootd Avolicious Avolicious AmirhoseinBrz AmirhoseinBrz srividyaj srividyaj
ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http Moderate
GHSA-qc6v-5g5m-8cw2 was published for github.com/zitadel/zitadel-go/v3 (Go) Jul 15, 2024
helpisdev Credited to helpisdev and livio-a livio-a livio-a
ZITADEL has improper HTML sanitization in emails and Console UI Moderate
CVE-2024-41953 was published for github.com/zitadel/zitadel (Go) Jul 31, 2024
livio-a Credited to livio-a
ZITADEL "ignoring unknown usernames" vulnerability Moderate
CVE-2024-41952 was published for github.com/zitadel/zitadel (Go) Jul 31, 2024
livio-a Credited to livio-a
ZITADEL's User Grant Deactivation not Working High
CVE-2024-46999 was published for github.com/zitadel/zitadel/v2 (Go) Sep 19, 2024
livio-a Credited to livio-a and fforootd fforootd fforootd
ZITADEL's Service Users Deactivation not Working High
CVE-2024-47000 was published for github.com/zitadel/zitadel/v2 (Go) Sep 19, 2024
livio-a Credited to livio-a and fforootd fforootd fforootd
ZITADEL Allows Unauthorized Access After Organization or Project Deactivation High
CVE-2024-47060 was published for github.com/zitadel/zitadel/v2 (Go) Sep 19, 2024
prdp1137 Credited to prdp1137, livio-a, and fforootd livio-a livio-a
fforootd fforootd
Denied Host Validation Bypass in Zitadel Actions Moderate
CVE-2024-49753 was published for github.com/zitadel/zitadel (Go) Oct 25, 2024
prdp1137 Credited to prdp1137, livio-a, and fforootd livio-a livio-a
fforootd fforootd
IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations Critical
CVE-2025-27507 was published for github.com/zitadel/zitadel (Go) Mar 4, 2025
amit-laish Credited to amit-laish, livio-a, fforootd, and adlerhurst livio-a livio-a
fforootd fforootd adlerhurst adlerhurst
ZITADEL Allows IdP Intent Token Reuse High
CVE-2025-46815 was published for github.com/zitadel/zitadel (Go) May 6, 2025
cfx Credited to cfx, livio-a, and fforootd livio-a livio-a
fforootd fforootd
ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection High
CVE-2025-48936 was published for github.com/zitadel/zitadel (Go) May 28, 2025
amit-laish Credited to amit-laish, livio-a, and eliobischof livio-a livio-a
eliobischof eliobischof
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection High
CVE-2025-64101 was published for github.com/zitadel/zitadel/v2 (Go) Oct 29, 2025
amit-laish Credited to amit-laish, livio-a, and IAM-marco livio-a livio-a
IAM-marco IAM-marco
Zitadel allows brute-forcing authentication factors High
CVE-2025-64102 was published for github.com/zitadel/zitadel (Go) Oct 29, 2025
livio-a Credited to livio-a, IAM-marco, and evilgensec IAM-marco IAM-marco
evilgensec evilgensec
Zitadel May Bypass Second Authentication Factor High
CVE-2025-64103 was published for github.com/zitadel/zitadel (Go) Oct 29, 2025
livio-a Credited to livio-a, IAM-marco, and mffap IAM-marco IAM-marco
mffap mffap
IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering High
CVE-2025-64431 was published for github.com/zitadel/zitadel (Go) Nov 5, 2025
livio-a Credited to livio-a and stebenz stebenz stebenz
ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP High
CVE-2025-64717 was published for github.com/zitadel/zitadel (Go) Nov 14, 2025
livio-a Credited to livio-a, IAM-marco, and Jank1310 IAM-marco IAM-marco
Jank1310 Jank1310
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login Critical
CVE-2025-67494 was published for github.com/zitadel/zitadel (Go) Dec 8, 2025
amit-laish Credited to amit-laish and livio-a livio-a livio-a
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login High
CVE-2026-29067 was published for github.com/zitadel/zitadel (Go) Dec 8, 2025
amit-laish Credited to amit-laish, peintnermax, and livio-a peintnermax peintnermax
livio-a livio-a
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database