CVE-2025-24364

High CVSS: 7.2

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker with authenticated access to the vaultwarden admin panel can execute arbitrary code in the system. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email. This vulnerability is fixed in 1.33.0.

Vendor

Dani-garcia

Product

Vaultwarden

CWE

CWE-74

Yayın Tarihi

2025-01-27 18:15:41

Güncelleme

2025-08-20 14:16:53

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-74 Vaultwarden HIGH Dani-garcia 2025

Referanslar

https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0 https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h6cc-rc6q-23j4

Benzer Kayıtlar

High

CVE-2026-27802

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to versi…

High

CVE-2026-27803

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to versi…

Medium

CVE-2026-27898

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to versi…

Medium

CVE-2026-27801

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden ve…

Medium

CVE-2026-26012

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.…

High

CVE-2025-24365

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker can o…