pkg:Go/github.com/zitadel/zitadel/v2

All known vulnerabilities

• CRITICAL9.3CVE-2026-29191ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint
  >= 4.0.0, < 4.12.0
• CRITICAL9.3CVE-2025-67494ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e
• CRITICAL9.0CVE-2025-27507IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations
  from 0, < 2.63.8
• HIGH8.2CVE-2026-29193ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication
  >= 4.0.0, < 4.12.1
• HIGH8.1CVE-2026-29067ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e
• HIGH8.1CVE-2025-64101ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
  >= 2.0.0, < 2.71.18
• HIGH8.1CVE-2025-48936ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection
  >= 2.38.3, < 2.70.12
• HIGH8.1CVE-2024-47000ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel
  >= 2.62.0, < 2.62.1
• HIGH8.0CVE-2025-67495ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e
• HIGH7.7CVE-2026-29192ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover
  >= 4.0.0, < 4.12.0
• HIGH7.3CVE-2024-46999ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel
  >= 2.62.0, < 2.62.1
• MEDIUM6.8CVE-2024-47060ZITADEL Allows Unauthorized Access After Organization or Project Deactivation
  >= 2.62.0, < 2.62.1
• —CVE-2026-27945ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel
  >= 2.59.0, < 4.11.1
• —CVE-2025-64103Zitadel May Bypass Second Authentication Factor
  >= 2.53.6, <= 2.53.9
• —CVE-2025-64102Zitadel allows brute-forcing authentication factors
  from 0, < 2.71.18