GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
12 advisories
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
High
CVE-2025-67495
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login
High
GHSA-pfrf-9r5f-73f5
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
Critical
CVE-2025-67494
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
High
CVE-2025-64101
was published
for
github.com/zitadel/zitadel/v2
(Go)
Oct 29, 2025
ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection
High
CVE-2025-48936
was published
for
github.com/zitadel/zitadel
(Go)
May 28, 2025
IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations
Critical
CVE-2025-27507
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2025
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass
High
CVE-2024-32868
was published
for
github.com/zitadel/zitadel
(Go)
Apr 25, 2024
ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass
High
CVE-2024-29891
was published
for
github.com/zitadel/zitadel
(Go)
Mar 28, 2024
Account Takeover via Session Fixation in Zitadel [Bypassing MFA]
High
CVE-2024-28197
was published
for
github.com/zitadel/zitadel
(Go)
Mar 11, 2024
ZITADEL Account Takeover via Malicious Host Header Injection
High
CVE-2023-49097
was published
for
github.com/zitadel/zitadel
(Go)
Nov 29, 2023
Argo CD repo-server Denial of Service vulnerability
Moderate
CVE-2023-40584
was published
for
github.com/argoproj/argo-cd/v2
(Go)
Sep 11, 2023
SpiceDB binding metrics port to untrusted networks and can leak command-line flags
High
CVE-2023-29193
was published
for
github.com/authzed/spicedb
(Go)
Apr 13, 2023
ProTip!
Advisories are also available from the
GraphQL API