28 matches found
PT-2026-39863
Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.5 Description Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The issue exists because the 'POST /api/ciphers/purge' endpoint verifies that a user has the Owner...
CVE-2026-27801
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can exploit this bypass ...
CVE-2024-39924
An issue was discovered in Vaultwarden formerly BitwardenRS 1.30.3. A vulnerability has been identified in the authentication and authorization process of the endpoint responsible for altering the metadata of an emergency access. It permits an attacker with granted emergency access to escalate...
CVE-2024-39926
An issue was discovered in Vaultwarden formerly BitwardenRS 1.30.3. A stored cross-site scripting XSS or, due to the default CSP, HTML injection vulnerability has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious code into the dashboard,...
EUVD-2024-53116
Malicious code in bioql PyPI...
EUVD-2024-38303
Malicious code in bioql PyPI...
Exploit for Incorrect Default Permissions in Dani-Garcia Vaultwarden
PoC-CVE-2024-39924 PoC and lab setup for CVE-2024-39924 De...
CVE-2025-24365
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Attacker can obtain owner rights of other organization. Hacker should know the ID of victim organization in real case the user can be a part of the organization as an unprivileged user and be...
CVE-2025-24365 vaultwarden allows escalation of privilege via variable confusion in OrgHeaders trait
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Attacker can obtain owner rights of other organization. Hacker should know the ID of victim organization in real case the user can be a part of the organization as an unprivileged user and be...
CVE-2025-24364
CVE-2025-24364 affects vaultwarden (Unofficial Bitwarden server) written in Rust. The vuln requires authenticated access to the vaultwarden admin panel and allows arbitrary code execution by manipulating mail settings to trigger shell commands, with a specially crafted favicon used to embed comma...
Vaultwarden HTML injection vulnerability
An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message...
CVE-2024-55224
An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message...
CVE-2024-55225
An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request...
CVE-2024-55226
Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting XSS vulnerability via the component /api/core/mod.rs...
CVE-2024-55225
An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request...
CVE-2024-55224
An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message...
PT-2025-3104 · Unknown · Vaultwarden
Name of the Vulnerable Software and Affected Versions: Vaultwarden version 1.32.5 Description: The issue is related to an authenticated reflected Cross-Site Scripting XSS vulnerability. This vulnerability is present in the /api/core/mod.rs component. Recommendations: For Vaultwarden version 1.32....
CVE-2024-55226
Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting XSS vulnerability via the component /api/core/mod.rs...
CVE-2024-55224
An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message...
CVE-2024-55224
Vaultwarden (before 1.32.5) is affected by an HTML injection vulnerability that could allow an attacker to execute arbitrary code by injecting a crafted payload into the username field of an e‑mail message. The issue is described across multiple sources (including GHSA and OSV) as a Vaultwarden H...