World Passkey Day: Advancing passwordless authentication

World Passkey Day is a chance to reflect on progress toward a shared goal: reducing our reliance on passwords and other phishable authentication methods by accelerating passkey adoption. As cyberattacks become more automated and AI-powered, each account is only as secure as its weakest credential...

World Passkey Day: Advancing passwordless authentication

World Passkey Day is a chance to reflect on progress toward a shared goal: reducing our reliance on passwords and other phishable authentication methods by accelerating passkey adoption. As cyberattacks become more automated and AI-powered, each account is only as secure as its weakest credential...

Perforce Helix Core Server 安全漏洞

Perforce Helix Core Server is a centralized version control server offered by Perforce Corporation, designed for managing large-scale code and digital assets. Versions of Perforce Helix Core Server prior to 2026.1 contained security vulnerabilities. These vulnerabilities stemmed from insecure...

OpenClaw 访问控制错误漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an Access Control Error vulnerability that stems from the BlueBubbles webhook handler containing a passwordless fallback authentication path, which can be exploited by an attacker to cause an...

Pocket ID 安全漏洞

Pocket ID is an open-source identity provider that supports passwordless authentication. Versions of Pocket ID prior to 2.4.0 contained a security vulnerability. This vulnerability stemmed from the OIDC token endpoint only refusing authorization codes when the client ID was incorrect and the code...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover

Summary A vulnerability in Zitadel's login V2 interface was discovered, allowing for possible account takeover. Impact Zitadel allows organization administrators to change the default redirect URI for their organization. This setting enables them to redirect users to an arbitrary location after...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint

Summary A vulnerability was discovered in Zitadel's login V2 interface that allowed a possible account takeover. Impact Zitadel exposes an HTTP endpoint named /saml-post. This endpoint is used for handling requests to SAML IdPs and accepts two HTTP GET parameters: url and id. When these parameter...

PT-2026-23105

Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.0.0 through 4.11.1 Description ZITADEL, an open source identity management platform, has a flaw in its login V2 interface that could allow for account takeover via Default URI Redirect. An unauthenticated remote attacker can...

CVE-2025-67495 ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login

ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the postlogoutredirect GET parameter. As a result, unauthenticate...

CVE-2025-67495

ZITADEL’s DOM-Based XSS in Zitadel V2 logout (CVE-2025-67495) affects 4.0.0-rc.1 through 4.7.0 via the /logout endpoint, where the post_logout_redirect parameter could be used to route malicious JavaScript to a user’s browser. The issue requires multiple active sessions in the same browser and is...

PT-2025-50278

Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.0.0-rc.1 through 4.7.0 Description ZITADEL, an open-source identity infrastructure tool, is susceptible to a DOM-Based Cross-Site Scripting XSS issue through the Zitadel V2 logout endpoint. The /logout API endpoint insecurel...

Cross-site Scripting (XSS)

Overview github.com/zitadel/zitadel/internal/api/oidc is a package for identity infrastructure Affected versions of this package are vulnerable to Cross-site Scripting XSS via the postlogoutredirect parameter in the logout process. An attacker can execute arbitrary JavaScript code in the context ...

SUSE CVE-2025-64101

Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset...