@better-auth/cli (>=1.5.0-beta.10 <=1.5.0-beta.13), @onmax/nuxt-better-auth (>=0.0.2-alpha.14 <=0.0.2-alpha.31) +2 more potentially affected by CVE-2026-45364 via better-auth (>=1.5.0-beta.10 <=1.5.0-beta.20)

better-auth NPM version =1.5.0-beta.10, =1.5.0-beta.10, =0.0.2-alpha.14, =1.5.0-beta.15, =0.0.2-beta.19, =0.0.10-beta.25 Source cves: CVE-2026-45364 Source advisory: OSV:GHSA-P6V2-XCPG-H6XW...

@alstar/studio (=0.0.0-beta.20), @better-auth/cli (>=1.0.0 <=1.4.1-beta.1) +71 more potentially affected by CVE-2026-45364 via better-auth (>=1.0.0-canary.10 <=1.4.16)

better-auth NPM version =1.0.0-canary.10, =1.0.0, =1.3.27, =1.3.27, =1.3.27, =1.3.27, =1.3.27, =1.3.27, =1.3.26, =1.3.27, =0.18.0, =0.5.2, =1.0.2, =1.0.2, =1.0.2, =1.0.3 and more Source cves: CVE-2026-45364 Source advisory: SNYK:JS-BETTERAUTH-16722787...

@agentcorporation/server (>=0.3.3 <=0.3.13), @airisos/server (>=2026.324.0-canary.0 <=2026.325.0-canary.3) +145 more potentially affected by unknown CVE via better-auth (>=0.4.10-beta.10 <=1.4.4)

better-auth NPM version =0.4.10-beta.10, =0.3.3, =2026.324.0-canary.0, =2026.501.0, =2026.501.0, =0.0.7, =0.0.1, =1.3.27, =1.3.27, =1.3.27, =1.3.27, =1.3.27, =1.3.27, =1.3.26, =1.3.27, =1.3.37 and more Source cves: unknown CVE Source advisory: OSV:GHSA-X732-6J76-QMHM...

@agentcorporation/server (>=0.3.3 <=0.3.13), @airisos/server (>=2026.324.0-canary.0 <=2026.325.0-canary.3) +142 more potentially affected by unknown CVE via better-auth (>=1.0.0-canary.10 <=1.4.22)

better-auth NPM version =1.0.0-canary.10, =0.3.3, =2026.324.0-canary.0, =2026.501.0, =2026.501.0, =0.0.7, =1.0.0, =1.3.27, =1.3.27, =1.3.27, =1.3.27, =1.3.27, =1.3.27, =1.3.26, =1.3.27, =1.3.37 and more Source cves: unknown CVE Source advisory: SNYK:JS-BETTERAUTH-14157194...

@agentcorporation/server (>=0.3.3 <=0.3.13), @airisos/server (>=2026.324.0-canary.0 <=2026.325.0-canary.3) +130 more potentially affected by unknown CVE via better-auth (>=0.4.10-beta.10 <=1.4.2-beta.5)

better-auth NPM version =0.4.10-beta.10, =0.3.3, =2026.324.0-canary.0, =2026.501.0, =2026.501.0, =0.0.1, =1.3.27, =1.3.27, =1.3.27, =1.3.27, =1.3.27, =1.3.27, =1.3.26, =1.3.27, =0.18.0, =1.9.7 and more Source cves: unknown CVE Source advisory: OSV:GHSA-569Q-MPPH-WGWW...

@alstar/studio (=0.0.0-beta.20), @better-auth/cli (>=1.3.4 <=1.4.0-beta.28) +24 more potentially affected by unknown CVE via better-auth (>=1.3.34 <=1.4.0-beta.9)

better-auth NPM version =1.3.34, =1.3.4, =0.18.9, =0.5.2, =0.0.9, =0.0.9, =0.0.9, =0.0.3, =0.0.9, =0.0.8, =0.0.11, =0.0.9, =7.0.9-canary.2, =7.0.9-canary.2, =0.1.8, =0.1.9 and more Source cves: unknown CVE Source advisory: SNYK:JS-BETTERAUTH-14135654...

@better-auth/cli (>=1.2.0 <=1.3.25), @bgord/bun (>=0.18.0 <=0.29.10) +17 more potentially affected by CVE-2025-61928 via better-auth (>=1.2.0-beta.18 <=1.3.25)

better-auth NPM version =1.2.0-beta.18, =1.2.0, =0.18.0, =0.5.11, =0.0.0, =0.1.174, =1.0.2, =1.0.5, =1.0.0, =0.0.5, =1.2.13, =3.7.1, =1.0.12, =1.1.0 and more Source cves: CVE-2025-61928 Source advisory: SNYK:JS-BETTERAUTH-13537497...

CVE-2025-27143 Beter Auth has an Open Redirect via Scheme-Less Callback Parameter

Better Auth is an authentication and authorization library for TypeScript. Prior to version 1.1.21, the application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While...

CVE-2025-27143 Beter Auth has an Open Redirect via Scheme-Less Callback Parameter

Better Auth is an authentication and authorization library for TypeScript. Prior to version 1.1.21, the application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While...