VYPR
Vendor

Bitwarden

Products
3
CVEs
9
Across products
10
Status
Private

Products

3

Recent CVEs

9
  • CVE-2026-42994CriMay 1, 2026
    risk 0.64cvss 9.8epss 0.00

    Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, when obtained from npm, had embedded malicious code. This is related to a Checkmarx supply chain incident.

  • CVE-2026-43640HigMay 11, 2026
    risk 0.46cvss 8.1epss 0.01

    Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.

  • CVE-2026-43639HigMay 11, 2026
    risk 0.45cvss 8.0epss 0.01

    Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization;…

  • CVE-2026-43638MedMay 11, 2026
    risk 0.28cvss 5.4epss 0.00

    Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collections` array, which causes the server-side…

  • CVE-2025-5138LowMay 25, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in Bitwarden up to 2.25.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The…

  • CVE-2023-27974Mar 8, 2023
    risk 0.00cvss epss 0.01

    Bitwarden through 2023.2.1 offers password auto-fill when the second-level domain matches, e.g., a password stored for an example.com hosting provider when customer-website.example.com is visited. NOTE: the vendor's position is that "Auto-fill on page load" is not enabled by…

  • CVE-2018-25081Mar 8, 2023
    risk 0.00cvss epss 0.01

    Bitwarden through 2023.2.1 offers password auto-fill within a cross-domain IFRAME element. NOTE: the vendor's position is that there have been important legitimate cross-domain configurations (e.g., an apple.com IFRAME element on the icloud.com website) and that "Auto-fill on…

  • CVE-2020-15879Jul 21, 2020
    risk 0.00cvss epss 0.03

    Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8, and 169.254.0.0/16).

  • CVE-2019-19766Dec 12, 2019
    risk 0.00cvss epss 0.01

    The Bitwarden server through 1.32.0 has a potentially unwanted KDF.