hydra — Vulnerabilities & Security Advisories 12

All 12 CVE vulnerabilities found in hydra, with AI-generated Chinese analysis, references, and POCs.

Vendor: ory

CVE ID	Title	CVSS	Severity	Published
CVE-2026-33504	Ory Hydra has a SQL injection via forged pagination tokens CWE-89	7.2	High	2026-03-26
CVE-2025-54864	Hydra missing authentication when triggering evaluations through GitHub and Gitea plugins CWE-306	7.5^AI	High^AI	2025-08-12
CVE-2025-54800	Hydra persistent XSS in build metrics CWE-79	6.1^AI	Medium^AI	2025-08-12
CVE-2025-48886	hydra-node dangerously assumes L1 event finality and does not consider failed transactions CWE-755	4.8	Medium	2025-06-19
CVE-2025-32435	Hydra no restricted eval after nix-eval-jobs migration CWE-95	2.6	Low	2025-04-15
CVE-2024-45049	Nix Hydra Missing authentication when triggering evaluations CWE-306	7.5	High	2024-08-27
CVE-2024-32657	Hydra has persistent XSS vulnerability serving HTML build outputs CWE-79	4.6	Medium	2024-04-22
CVE-2023-42449	Malicious head initialiser can extract PTs from control of Hydra scripts, leading to locked participant commits or spoofed commits CWE-20	8.1	High	2023-10-04
CVE-2023-42448	Hydra's contestation period in head datum can be modified during Close transaction, allowing malicious participant to freely modify the contestation deadline CWE-20	8.1	High	2023-10-04
CVE-2023-38701	Hydra's committed UTxOs at Commit validator and UTxOs at Initial validator can be spent arbitrarily by anyone CWE-20	9.1	Critical	2023-10-04
CVE-2023-42806	Snapshot signature not including HeadID will allow replay attacks CWE-347	6.5	Medium	2023-09-21
CVE-2020-5300	Disallow replay of `private_key_jwt` by blacklisting JTIs in Hydra CWE-294	5.8	Medium	2020-04-06

All 12 known CVE vulnerabilities affecting hydra with full Chinese analysis, references, and POCs where available.