Dani-garcia Vaultwarden — known CVE vulnerabilities
Every CVE whose affected-product data names Dani-garcia Vaultwarden, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (20)
CVE-2024-55225 — CVSS 9.8 (critical): An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including…
CVE-2024-55224 — CVSS 9.6 (critical): An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload…
CVE-2024-39924 — CVSS 8.8 (high): An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A vulnerability has been identified in the authentication and…
CVE-2026-43912 — CVSS 8.7 (high): Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organi…
CVE-2026-27802 — CVSS 8.3 (high): Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, there is…
CVE-2026-27803 — CVSS 8.3 (high): Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a…
CVE-2025-24365 — CVSS 8.1 (high): vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker can obtain owner rights…
CVE-2026-43913 — CVSS 8.1 (high): Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to…
CVE-2024-56335 — CVSS 7.6 (high): vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. In affected versions an attacker…
CVE-2026-43914 — CVSS 7.3 (high): Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows…
CVE-2025-24364 — CVSS 7.2 (high): vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker with authenticated…
CVE-2026-43911 — CVSS 6.8 (medium): Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's…
CVE-2026-26012 — CVSS 6.5 (medium): vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular…
CVE-2024-39925 — CVSS 6.5 (medium): An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an…
CVE-2026-27801 — CVSS 5.9 (medium): Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and…
CVE-2026-31835 — CVSS 5.4 (medium): Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in…
CVE-2024-55226 — CVSS 5.4 (medium): Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component…
CVE-2024-39926 — CVSS 5.4 (medium): An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting (XSS) or, due to the default CSP, HTML…
CVE-2026-27898 — CVSS 5.4 (medium): Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an…
CVE-2026-33420 — CVSS 5.3 (medium): Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET…