cbcvebase.

Github.Com Usememos Memos vulnerabilities

74 known vulnerabilities affecting github.com/usememos_memos.

Total CVEs
74
CISA KEV
0
Public exploits
5
Exploited in wild
4
Severity breakdown
CRITICAL4HIGH15MEDIUM54LOW1

Vulnerabilities

Page 1 of 4
CVE-2024-29029P1MEDIUMExploitedPoC≥ 0, < 0.22.02024-08-05
CVE-2024-29029 [MEDIUM] CWE-79 memos vulnerable to Server-Side Request Forgery and Cross-site Scripting memos vulnerable to Server-Side Request Forgery and Cross-site Scripting memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the `/o/get/image` that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causin
ghsaosv
CVE-2024-29028P2MEDIUMExploitedPoC≥ 0, < 0.16.12024-08-05
CVE-2024-29028 [MEDIUM] CWE-918 memos vulnerable to Server-Side Request Forgery in /o/get/httpmeta memos vulnerable to Server-Side Request Forgery in /o/get/httpmeta memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows unauthenticated users to enumerate the internal network and receive limited html values in json form. This vulnerability is fixed in 0.16.1.
ghsaosv
CVE-2024-29030P2MEDIUMExploitedPoC≥ 0, < 0.22.02024-08-05
CVE-2024-29030 [MEDIUM] CWE-918 memos vulnerable to Server-Side Request Forgery in /api/resource memos vulnerable to Server-Side Request Forgery in /api/resource memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the `/api/resource` that allows authenticated users to enumerate the internal network. Version 0.22.0 of memos removes the vulnerable file.
ghsaosv
CVE-2025-22952P2MEDIUMExploitedPoC≥ 0, ≤ 0.24.02025-02-27
CVE-2025-22952 [MEDIUM] CWE-918 Memos Server-Side Request Forgery (SSRF) Memos Server-Side Request Forgery (SSRF) elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.
ghsaosv
CVE-2025-50738P2MEDIUMPoC≥ 0, < 0.24.42025-07-29
CVE-2025-50738 [MEDIUM] CWE-200 Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the vi
ghsaosv
CVE-2025-65795P3HIGH≥ 0, < 0.25.32025-12-08
CVE-2025-65795 [HIGH] CWE-284 memos vulnerability allows the creation of arbitrary accounts memos vulnerability allows the creation of arbitrary accounts Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.
ghsaosv
CVE-2022-4809P3HIGH≥ 0, < 0.9.12022-12-28
CVE-2022-4809 [HIGH] CWE-284 usememos/memos Improper Access Control vulnerability usememos/memos Improper Access Control vulnerability usememos/memos 0.9.0 and prior is vulnerable to full account takeover via changing user name, email address, and display name.
ghsaosv
CVE-2022-4689P3HIGH≥ 0, < 0.9.02022-12-23
CVE-2022-4689 [HIGH] CWE-284 usememos/memos vulnerable to account takeover due to improper access control usememos/memos vulnerable to account takeover due to improper access control usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Versions prior to 0.9.0 improperly maintain access control allowing an attacker to take over an account by changing header values in the HTTP request.
ghsaosv
CVE-2024-41659P3HIGH≥ 0, < 0.21.02024-08-22
CVE-2024-41659 [HIGH] CWE-942 memos CORS Misconfiguration in server.go (GHSL-2024-034) memos CORS Misconfiguration in server.go (GHSL-2024-034) memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to
ghsaosv
CVE-2022-4684P3HIGH≥ 0, < 0.9.02022-12-23
CVE-2022-4684 [HIGH] CWE-284 usememos/memos Improper Access Control vulnerability usememos/memos Improper Access Control vulnerability Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.
ghsaosv
CVE-2023-4696P3CRITICAL≥ 0, < 0.13.22023-09-01
CVE-2023-4696 [CRITICAL] CWE-284 Account TakeOver Due to Improper Handling of JWT Tokens in usememos/memos Account TakeOver Due to Improper Handling of JWT Tokens in usememos/memos Improper Access Control in GitHub repository usememos/memos prior to 0.13.2. As of commit `c9aa2eeb9` access tokens which fail validation are rejected.
ghsaosv
CVE-2022-4803P3HIGH≥ 0, < 0.9.12022-12-28
CVE-2022-4803 [HIGH] CWE-284 usememos/memos Improper Access Control vulnerability usememos/memos Improper Access Control vulnerability usememos/memos 0.9.0 and prior is vulnerable to Improper Access Control.
ghsaosv
CVE-2024-21635P3HIGH≥ 0, < 0.18.22025-11-14
CVE-2024-21635 [HIGH] CWE-287 Memos' Access Tokens Stay Valid after User Password Change Memos' Access Tokens Stay Valid after User Password Change ### Summary Access Tokens are used to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password. The bad actor though will still have access to their account because the bad actor's Ac
ghsaosv
CVE-2023-4697P3HIGH≥ 0, < 0.13.22023-09-01
CVE-2023-4697 [HIGH] CWE-269 usememos/memos vulnerable to privilege escalation usememos/memos vulnerable to privilege escalation Improper Privilege Management in GitHub repository usememos/memos prior to 0.13.2.
ghsaosv
CVE-2022-4688P3HIGH≥ 0, < 0.9.02022-12-23
CVE-2022-4688 [HIGH] CWE-285 usememos/memos vulnerable to improper authorization usememos/memos vulnerable to improper authorization usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Memos versions prior to 0.9.0 are vulnerable to improper authorization, which can allow a user to modify the nickname, username and email of other users without permission.
ghsaosv
CVE-2026-6634P3LOW≥ 0, ≤ 0.22.12026-04-20
CVE-2026-6634 [LOW] CWE-266 Memos has an Incorrect Privilege Assignment issue Memos has an Incorrect Privilege Assignment issue A weakness has been identified in usememos memos up to 0.22.1. This affects the function memos_access_token of the file src/App.tsx of the component UpdateInstanceSetting. This manipulation of the argument additionalStyle/additionalScript causes improper authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public
ghsa
CVE-2022-4686P3CRITICAL≥ 0, < 0.9.02022-12-23
CVE-2022-4686 [CRITICAL] CWE-639 usememos/memos Authorization Bypass Through User-Controlled Key vulnerability usememos/memos Authorization Bypass Through User-Controlled Key vulnerability Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.0.
ghsaosv
CVE-2022-4808P3HIGH≥ 0, < 0.9.12022-12-28
CVE-2022-4808 [HIGH] CWE-269 usememos/memos Improper Privilege Management vulnerability usememos/memos Improper Privilege Management vulnerability Improper Privilege Management in GitHub repository usememos/memos prior to 0.9.1.
ghsaosv
CVE-2022-4687P3HIGH≥ 0, < 0.9.02022-12-23
CVE-2022-4687 [HIGH] CWE-269 usememos/memos makes Incorrect Use of Privileged APIs usememos/memos makes Incorrect Use of Privileged APIs Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.0.
ghsaosv
CVE-2022-4796P3HIGH≥ 0, < 0.9.12022-12-28
CVE-2022-4796 [HIGH] CWE-648 usememos/memos makes Incorrect Use of Privileged APIs usememos/memos makes Incorrect Use of Privileged APIs In usememos/memos 0.9.0 and prior, a user with login permission can delete all notes of the whole application via `API DELETE https://demo.usememos.com/api/memo/$idnote`. The vulnerability will lose all user notes data throughout the system, causing damage to user data.
ghsaosv
Github.Com Usememos Memos vulnerabilities | cvebase