CVE-2026-27946

ZITADEL exposes a vulnerability in its self-management capability prior to versions 4.11.1 and 3.4.7 that allowed a user to mark their email and/or phone as verified without going through actual verification. The fix, in versions 4.11.1 and 3.4.7, enforces the correct permission when the verifica...

CVE-2026-27946 ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API

ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7...

CVE-2026-27946 ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API

ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7...

Cross-site Scripting (XSS)

Matrix Android SDK 2 is vulnerable to cross-site scripting.The vulnerability exists in multiple functions in MXMegolmDecryption.kt due to a protocol confusion in order to send fake to-device messages which allows an attacker to inject the key backup secret during a self-verification...

Spoofing Attack

matrix-js-sdk is vulnerable to spoofing attacks. The vulnerability exists due to a lack of sanitization of the secret key sent during self-verification, allowing an attacker to send fake to-device messages appearing to originate from another user...