pkg:Go/github.com/zitadel/zitadel

共 69 筆 CVECRITICAL6HIGH27MEDIUM25

✅ 檢查你的版本

所有已知漏洞

CRITICAL9.3CVE-2026-29191ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint
from 0
CRITICAL9.3CVE-2026-29191ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint
>= 4.0.0, < 4.12.0
CRITICAL9.3CVE-2025-67494ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login in github.com/zitadel/zitadel
from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e, >= 1.83.4
CRITICAL9.3CVE-2025-67494ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login in github.com/zitadel/zitadel
from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e
CRITICAL9.0CVE-2025-27507IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations
from 0
CRITICAL9.0CVE-2025-27507IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations
from 0, < 2.63.8
HIGH8.7CVE-2024-29891ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass
from 0, < 2.42.17
HIGH8.7CVE-2024-29891ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass
from 0
HIGH8.7CVE-2022-36051Broken Authorization in ZITADEL Actions
>= 2.0.0, < 2.2.0
HIGH8.2CVE-2026-29193ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication
>= 4.0.0, < 4.12.1
HIGH8.2CVE-2026-29193ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication
from 0
HIGH8.1CVE-2026-29067ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login in github.com/zitadel/zitadel
from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e
HIGH8.1CVE-2026-29067ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login in github.com/zitadel/zitadel
from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e, >= 1.83.4
HIGH8.1CVE-2025-64101ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
from 0
HIGH8.1CVE-2025-48936ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection
from 0, < 0.0.0-20250528081227-c097887bc5f6
HIGH8.1CVE-2025-48936ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection
from 0, < 0.0.0-20250528081227-c097887bc5f6
HIGH8.1CVE-2024-47000ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel
from 0
HIGH8.1CVE-2024-28855Improper HTML sanitization in ZITADEL
>= 1.80.1, < 2.41.15
HIGH8.1CVE-2024-28855Improper HTML sanitization in ZITADEL
from 0, < 1.80.0-v2.20.0.20240312162750-5908b97e7c22
HIGH8.1CVE-2023-49097ZITADEL Account Takeover via Malicious Host Header Injection
>= 2.39.0, < 2.39.9
HIGH8.0CVE-2025-67495ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login in github.com/zitadel/zitadel
from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e, >= 1.83.4
HIGH8.0CVE-2025-67495ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login in github.com/zitadel/zitadel
from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e
HIGH8.0CVE-2025-46815ZITADEL Allows IdP Intent Token Reuse in github.com/zitadel/zitadel
from 0
HIGH8.0CVE-2025-46815ZITADEL Allows IdP Intent Token Reuse in github.com/zitadel/zitadel
>= 3.0.0-rc.1, < 3.0.0
HIGH7.7CVE-2026-29192ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover
>= 4.0.0, < 4.12.0
HIGH7.7CVE-2026-29192ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover
from 0
HIGH7.5CVE-2026-44671ZITADEL has LDAP Filter Injection in Login Flow
>= 4.0.0, < 4.15.0
HIGH7.5CVE-2024-49757User Registration Bypass in Zitadel in github.com/zitadel/zitadel
from 0
HIGH7.5CVE-2024-49757User Registration Bypass in Zitadel in github.com/zitadel/zitadel
>= 2.63.0, < 2.63.5
HIGH7.5CVE-2024-28197Account Takeover via Session Fixation in Zitadel [Bypassing MFA]
from 0, < 2.44.3
HIGH7.5CVE-2024-28197Account Takeover via Session Fixation in Zitadel [Bypassing MFA]
from 0
HIGH7.3CVE-2024-46999ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel
from 0
HIGH7.3CVE-2023-47111ZITADEL race condition in lockout policy execution
>= 2.39.0, < 2.40.5
MEDIUM6.8CVE-2024-47060ZITADEL Allows Unauthorized Access After Organization or Project Deactivation
from 0
MEDIUM6.5CVE-2024-32868ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass
from 0, < 2.50.0
MEDIUM6.5CVE-2024-32868ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass
from 0
MEDIUM6.1CVE-2024-29892ZITADEL's actions can overload reserved claims
from 0, < 2.42.17
MEDIUM6.1CVE-2024-29892ZITADEL's actions can overload reserved claims
from 0
MEDIUM5.9CVE-2024-49753Denied Host Validation Bypass in Zitadel Actions
from 0
MEDIUM5.9CVE-2024-49753Denied Host Validation Bypass in Zitadel Actions
>= 2.64.0, < 2.64.1
MEDIUM5.9CVE-2023-22492Zitadel RefreshToken invalidation vulnerability
>= 2.17.0, < 2.17.3
MEDIUM5.7CVE-2024-39683ZITADEL Vulnerable to Session Information Leakage
from 0
MEDIUM5.7CVE-2024-39683ZITADEL Vulnerable to Session Information Leakage
>= 2.0.0, < 2.53.8
MEDIUM5.3CVE-2026-33132Zitadel is missing enforcement of organization scopes in github.com/zitadel/zitadel
>= 4.0.0-rc.1, < 4.12.3
MEDIUM5.3CVE-2026-33132Zitadel is missing enforcement of organization scopes in github.com/zitadel/zitadel
from 0, < 1.80.0-v2.20.0.20260317120401-d90285929ca0
MEDIUM5.3CVE-2026-23511Zitadel has a user enumeration vulnerability in Login UIs
from 0
MEDIUM5.3CVE-2026-23511Zitadel has a user enumeration vulnerability in Login UIs
>= 4.0.0, < 4.9.1
MEDIUM5.3CVE-2024-41952ZITADEL "ignoring unknown usernames" vulnerability
from 0
MEDIUM5.3CVE-2024-41952ZITADEL "ignoring unknown usernames" vulnerability
>= 2.53.0, < 2.53.9
MEDIUM5.3CVE-2024-32967Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel
>= 2.50.0, < 2.50.3
MEDIUM5.3CVE-2024-32967Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel
from 0
MEDIUM5.3CVE-2023-44399ZITADEL's password reset does not respect the "Ignoring unknown usernames" setting
from 0, < 2.37.3
MEDIUM4.3CVE-2026-27840ZITADEL's truncated opaque tokens are still valid
from 0
MEDIUM4.3CVE-2026-27840ZITADEL's truncated opaque tokens are still valid
>= 4.0.0, < 4.11.0
MEDIUM4.3CVE-2025-67717Zitadel Discloses the Total Number of Instance Users
>= 4.0.0-rc.1, < 4.7.2
MEDIUM4.3CVE-2025-67717Zitadel Discloses the Total Number of Instance Users
from 0, < 1.80.0-v2.20.0.20251210121356-826039c6208f
MEDIUM4.3CVE-2024-41953ZITADEL has improper HTML sanitization in emails and Console UI
from 0
MEDIUM4.3CVE-2024-41953ZITADEL has improper HTML sanitization in emails and Console UI
>= 1.80.1, < 2.52.3
—CVE-2026-27945ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel
from 0, < 1.80.0-v2.20.0.20260225053328-b2532e966621
—CVE-2026-27946ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API
>= 4.0.0, < 4.11.1
—CVE-2026-27946ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API
from 0, < 1.80.0-v2.20.0.20260225053417-0261536243e5
—CVE-2025-64717ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP in github.com/zitadel/zitadel
>= 4.0.0-rc.1, < 4.6.6
—CVE-2025-64717ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP in github.com/zitadel/zitadel
>= 1.80.0-v2.20.0.20240403060621-5b3946b67ef6, < 1.80.0-v2.20.0.20251112124840-33c51deb2040
—CVE-2025-64431IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering in github.com/zitadel/zitadel
>= 1.80.0-v2.20.0.20250414095945-f365cee73242, < 1.80.0-v2.20.0.20251105083648-8dcfff97ed52
—CVE-2025-64431IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering in github.com/zitadel/zitadel
>= 4.0.0-rc.1, < 4.6.3
—CVE-2025-64103Zitadel May Bypass Second Authentication Factor
from 0
—CVE-2025-64103Zitadel May Bypass Second Authentication Factor
from 0, < 1.80.0-v2.20.0.20251029091250-b284f8474eed
—CVE-2025-64102Zitadel allows brute-forcing authentication factors
from 0
—CVE-2025-64102Zitadel allows brute-forcing authentication factors
from 0, < 1.80.0-v2.20.0.20251029090735-b8db8cdf9cc8