Every CVE whose affected-product data names Bitwarden Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (8)
CVE-2026-43640 — CVSS 8.1 (high): Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM…
CVE-2026-43639 — CVSS 8.0 (high): Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary…
CVE-2020-15879 — CVSS 7.5 (high): Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the…
CVE-2026-57520 — CVSS 7.1 (high): Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers…
CVE-2026-43638 — CVSS 5.4 (medium): Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into…
CVE-2026-57521 — CVSS 4.3 (medium): Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary…
CVE-2026-57522 — CVSS 3.5 (low): Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens(), which substitutes…