VYPR

Server

by Bitwarden

Source repositories

CVEs (6)

  • CVE-2026-43640HigMay 11, 2026
    risk 0.46cvss 8.1epss 0.01

    Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.

  • CVE-2026-43639HigMay 11, 2026
    risk 0.45cvss 8.0epss 0.01

    Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization;…

  • CVE-2026-43638MedMay 11, 2026
    risk 0.28cvss 5.4epss 0.00

    Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collections` array, which causes the server-side…

  • CVE-2025-5138LowMay 25, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in Bitwarden up to 2.25.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The…

  • CVE-2020-15879Jul 21, 2020
    risk 0.00cvss epss 0.03

    Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8, and 169.254.0.0/16).

  • CVE-2019-19766Dec 12, 2019
    risk 0.00cvss epss 0.01

    The Bitwarden server through 1.32.0 has a potentially unwanted KDF.