Back to security portal
Open redirect on affiliate page
Reported on March 20, 2026
An affiliate marketing tool used on our page enabled redirect to any website. An attacker could exploit this in a phishing campaign, redirecting from a legitimately looking URL to a malicious website.
Reported by Toshit Bharti
Trezor.io
Resolved vulnerabilities
Reported by the community. Investigated. Resolved. Because your security is never optional.
- Reflected cross-site scripting (XSS) vulnerability on connect.trezor.io via hash fragment script injectionMarch 25, 2026
- Biometric Verification bypassed in Trezor Suite with external monitorMarch 9, 2026
- Insufficient entropy on Trezor Model One with 12/18 wordsFebruary 6, 2026
- Bug in multisig verificationJanuary 10, 2026
- Inability to cancel certain flows on pre-production firmwareOctober 31, 2025
- Fix side-channel in BIP-39 mnemonic processing when unlockedSeptember 24, 2025