Back to Guardra
Advisories
CVEs coordinated by Guardra Labs.
Our research team has disclosed 40+ CVEs since 2023 across cloud infrastructure, identity systems, LLM tooling, and open-source dependencies. 90-day default disclosure window.
Recent disclosures
| CVE | Severity | Title | Vendor | Date | |
|---|---|---|---|---|---|
| CVE-2026-11284 | CRITICAL 9.8 | OAuth authentication bypass | oauth-toolkit | Feb 2026 | Details |
| CVE-2025-98712 | HIGH 8.6 | Prototype pollution in Top-50 npm package | (coordinated) | Dec 2025 | Details |
| CVE-2025-74419 | CRITICAL 9.1 | Deserialization RCE in CI plugin | (coordinated) | Oct 2025 | Details |
| CVE-2025-51007 | HIGH 8.1 | LLM prompt-injection → data exfiltration | AI coding assistant | Jul 2025 | Details |
| CVE-2025-44910 | HIGH 7.8 | Indirect injection in major RAG framework | (coordinated) | Jun 2025 | Details |
| CVE-2025-30182 | CRITICAL 9.4 | Tool-call confused-deputy in agent SDK | (coordinated) | Apr 2025 | Details |
| CVE-2025-19847 | HIGH 8.3 | Vector-store authentication flaw | Cloud vendor | Feb 2025 | Details |
| CVE-2024-98221 | CRITICAL 9.9 | Memory exfiltration via chained tool-calls | (coordinated) | Dec 2024 | Details |
| CVE-2024-75591 | HIGH 8.0 | SSRF in webhook proxy service | CI platform | Sep 2024 | Details |
| CVE-2024-43102 | MEDIUM 6.3 | IAM policy parser ambiguity | Cloud vendor | Jun 2024 | Details |
| CVE-2024-17810 | HIGH 8.4 | Secrets manager race on rotation | (coordinated) | Mar 2024 | Details |
| CVE-2023-92011 | CRITICAL 9.6 | Supply-chain substitution attack (dep confusion) | (multiple) | Nov 2023 | Details |
Coordinated disclosure policy
Default 90-day window. Extended on request for vendors acting in good faith. If a vulnerability is being actively exploited, we reserve the right to publish sooner. All disclosures include a reproducer, impact analysis, and suggested mitigations.