13 Total advisories
13 Vulnerabilities
0 Malware
Vulnerabilities
HIGH 7.6
CVE-2026-45337
Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending
HIGH 7.3
CVE-2026-45364
Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
MEDIUM 5.3
GHSA-wxw3-q3m9-c3jr
Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE
UNKNOWN
GHSA-wmjr-v86c-m9jj
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
UNKNOWN
GHSA-xg6x-h9c9-2m83
Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)
UNKNOWN
CVE-2024-56734
Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint
UNKNOWN
CVE-2025-27143
Beter Auth has an Open Redirect via Scheme-Less Callback Parameter
HIGH 8.6
GHSA-x732-6j76-qmhm
Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits
HIGH 8.6
CVE-2025-61928
Better Auth: Unauthenticated API key creation through api-key plugin
HIGH 7.1
GHSA-vp58-j275-797x
Better Auth allows bypassing the trustedOrigins Protection which leads to ATO
UNKNOWN
GHSA-9x4v-xfq5-m8x5
Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)
UNKNOWN
GHSA-569q-mpph-wgww
Better Auth affected by external request basePath modification DoS
UNKNOWN
CVE-2025-53535
Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes
Ready to move
Start Securing
Free, no credit card | First findings in minutes