Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
| # | POC Description | Source Link | Shenlong Link |
|---|
| CVE-2026-55672 | 7.4 HIGH | ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token f |
| CVE-2026-56667 | 7.3 HIGH | ZITADEL: Stored XSS via Default URI Redirect in Login V2 |
| CVE-2026-56666 | 4.8 MEDIUM | ZITADEL: Auto-linking by email: IdP-side email verification is not checked |
| CVE-2026-55669 | 4.2 MEDIUM | ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider |
| CVE-2026-56665 | 4.2 MEDIUM | ZITADEL: Missing Token Expiration (`exp`) Validation in JWT IdP Provider |
| CVE-2026-56664 | 4.2 MEDIUM | ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider |
| CVE-2026-55670 | ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers | |
| CVE-2026-55671 | ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Component |
No comments yet