Vaultwarden
This hub aggregates every CVE we track for Vaultwarden, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
19
CVEs tracked
2
Critical
9
High
0
In CISA KEV
Severity distribution
HIGH9MEDIUM8CRITICAL2
Monthly trend
0
0
3
0
0
1
5
0
0
0
0
0
0
0
0
0
0
0
0
1
3
0
6
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Vaultwarden.
- CVE-2026-43914Vaultwarden: Brute-force protection bypass vulnerability7.3
- CVE-2026-43913Vaultwarden: Unconfirmed Owner Can Purge Entire Organization Vault8.1
- CVE-2026-43912Vaultwarden: Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization8.7
- CVE-2026-43911Vaultwarden: Refresh tokens not invalidated on security stamp rotation6.8
- CVE-2026-33420Vaultwarden missing authorization check allows Manager-role users to enumerate all collections5.3
- CVE-2026-31835Vaultwarden WebAuthn credential metadata tampered before signature verification5.4
- CVE-2026-27898Vaultwarden: Unauthorized Access via Partial Update API on Another User’s Cipher5.4
- CVE-2026-27803Vaultwarden: Collection Management Operations Allowed Without `manage` Verification for Manager Role8.3
- CVE-2026-27802Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager8.3
- CVE-2026-26012vaultwarden has Full Cipher Enumeration Ignoring Organization Collection Permissions6.5
- CVE-2025-24365vaultwarden allows escalation of privilege via variable confusion in OrgHeaders trait8.1
- CVE-2025-24364vaultwarden allows RCE in the admin panel7.2
- CVE-2024-55226Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs.5.4
- CVE-2024-55224An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message.9.6
- CVE-2024-55225An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.9.8
Product normalization is registry-driven with AI assist and human review. How it works