| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-33132 | ZITADEL is missing enforcement of organization scopes | zitadel | zitadel | Medium | 5.3 | 2026-03-20 10:21:19 | Deep Dive |
| CVE-2026-32132 | ZITADEL: Reactivation of Expired Passkey Registration Codes | zitadel | zitadel | High | 7.4 | 2026-03-11 21:40:07 | Deep Dive |
| CVE-2026-32131 | ZITADEL Cross-Tenant Information Disclosure in Management API | zitadel | zitadel | High | 7.7 | 2026-03-11 21:38:52 | Deep Dive |
| CVE-2026-32130 | ZITADEL SCIM Authentication Bypass via URL Encoding | zitadel | zitadel | High | 7.5 | 2026-03-11 21:37:07 | Deep Dive |
| CVE-2026-29067 | ZITADEL: Account Takeover Due to Improper Instance Validation in V2 Login | zitadel | zitadel | High | 8.1 | 2026-03-07 15:12:26 | Deep Dive |
| CVE-2026-29193 | ZITADEL: Bypassing Zitadel Login Behavior and Security Policy in Login V2 | zitadel | zitadel | High | 8.2 | 2026-03-07 15:11:06 | Deep Dive |
| CVE-2026-29192 | ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover | zitadel | zitadel | High | 7.7 | 2026-03-07 15:09:53 | Deep Dive |
| CVE-2026-29191 | ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint | zitadel | zitadel | Critical | 9.3 | 2026-03-07 15:07:03 | Deep Dive |
| CVE-2026-27946 | ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API | zitadel | zitadel | - | - | 2026-02-26 00:34:57 | Deep Dive |
| CVE-2026-27945 | ZITADEL has potential SSRF via Actions | zitadel | zitadel | - | - | 2026-02-26 00:29:58 | Deep Dive |
| CVE-2026-27840 | ZITADEL's truncated opaque tokens are still valid | zitadel | zitadel | Medium | 4.3 | 2026-02-26 00:27:09 | Deep Dive |
| CVE-2026-23511 | ZITADEL has a user enumeration vulnerability in Login UIs | zitadel | zitadel | Medium | 5.3 | 2026-01-15 19:09:06 | Deep Dive |
| CVE-2025-67717 | Zitadel Discloses the Total Number of Instance Users | zitadel | zitadel | - | - | 2025-12-11 00:30:19 | Deep Dive |
| CVE-2025-67495 | ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login | zitadel | zitadel | High | 8.0 | 2025-12-09 22:38:44 | Deep Dive |
| CVE-2025-67494 | ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login | zitadel | zitadel | Critical | 9.3 | 2025-12-09 22:07:52 | Deep Dive |
| CVE-2025-64717 | ZITADEL vulnerable to Account Takeover with deactivated Instance IdP | zitadel | zitadel | 中危 | - | 2025-11-13 15:30:51 | Deep Dive |
| CVE-2025-64431 | IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering | zitadel | zitadel | 中危 | - | 2025-11-07 18:09:25 | Deep Dive |
| CVE-2025-64103 | Zitadel Bypass Second Authentication Factor | zitadel | zitadel | - | - | 2025-10-29 18:43:47 | Deep Dive |
| CVE-2025-64102 | Zitadel allows brute-forcing authentication factors | zitadel | zitadel | - | - | 2025-10-29 18:36:15 | Deep Dive |
| CVE-2025-64101 | ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection | zitadel | zitadel | High | 8.1 | 2025-10-29 18:30:15 | Deep Dive |