Github.Com Usememos Memos vulnerabilities
74 known vulnerabilities affecting github.com/usememos_memos.
Total CVEs
74
CISA KEV
0
Public exploits
5
Exploited in wild
4
Severity breakdown
CRITICAL4HIGH15MEDIUM54LOW1
Vulnerabilities
Page 1 of 4
CVE-2024-29029P1MEDIUMExploitedPoC≥ 0, < 0.22.02024-08-05
CVE-2024-29029 [MEDIUM] CWE-79 memos vulnerable to Server-Side Request Forgery and Cross-site Scripting
memos vulnerable to Server-Side Request Forgery and Cross-site Scripting
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the `/o/get/image` that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causin
ghsaosv
CVE-2024-29028P2MEDIUMExploitedPoC≥ 0, < 0.16.12024-08-05
CVE-2024-29028 [MEDIUM] CWE-918 memos vulnerable to Server-Side Request Forgery in /o/get/httpmeta
memos vulnerable to Server-Side Request Forgery in /o/get/httpmeta
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows unauthenticated users to enumerate the internal network and receive limited html values in json form. This vulnerability is fixed in 0.16.1.
ghsaosv
CVE-2024-29030P2MEDIUMExploitedPoC≥ 0, < 0.22.02024-08-05
CVE-2024-29030 [MEDIUM] CWE-918 memos vulnerable to Server-Side Request Forgery in /api/resource
memos vulnerable to Server-Side Request Forgery in /api/resource
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the `/api/resource` that allows authenticated users to enumerate the internal network. Version 0.22.0 of memos removes the vulnerable file.
ghsaosv
CVE-2025-22952P2MEDIUMExploitedPoC≥ 0, ≤ 0.24.02025-02-27
CVE-2025-22952 [MEDIUM] CWE-918 Memos Server-Side Request Forgery (SSRF)
Memos Server-Side Request Forgery (SSRF)
elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.
ghsaosv
CVE-2025-50738P2MEDIUMPoC≥ 0, < 0.24.42025-07-29
CVE-2025-50738 [MEDIUM] CWE-200 Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs
Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs
The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the vi
ghsaosv
CVE-2025-65795P3HIGH≥ 0, < 0.25.32025-12-08
CVE-2025-65795 [HIGH] CWE-284 memos vulnerability allows the creation of arbitrary accounts
memos vulnerability allows the creation of arbitrary accounts
Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.
ghsaosv
CVE-2022-4809P3HIGH≥ 0, < 0.9.12022-12-28
CVE-2022-4809 [HIGH] CWE-284 usememos/memos Improper Access Control vulnerability
usememos/memos Improper Access Control vulnerability
usememos/memos 0.9.0 and prior is vulnerable to full account takeover via changing user name, email address, and display name.
ghsaosv
CVE-2022-4689P3HIGH≥ 0, < 0.9.02022-12-23
CVE-2022-4689 [HIGH] CWE-284 usememos/memos vulnerable to account takeover due to improper access control
usememos/memos vulnerable to account takeover due to improper access control
usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Versions prior to 0.9.0 improperly maintain access control allowing an attacker to take over an account by changing header values in the HTTP request.
ghsaosv
CVE-2024-41659P3HIGH≥ 0, < 0.21.02024-08-22
CVE-2024-41659 [HIGH] CWE-942 memos CORS Misconfiguration in server.go (GHSL-2024-034)
memos CORS Misconfiguration in server.go (GHSL-2024-034)
memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to
ghsaosv
CVE-2022-4684P3HIGH≥ 0, < 0.9.02022-12-23
CVE-2022-4684 [HIGH] CWE-284 usememos/memos Improper Access Control vulnerability
usememos/memos Improper Access Control vulnerability
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.
ghsaosv
CVE-2023-4696P3CRITICAL≥ 0, < 0.13.22023-09-01
CVE-2023-4696 [CRITICAL] CWE-284 Account TakeOver Due to Improper Handling of JWT Tokens in usememos/memos
Account TakeOver Due to Improper Handling of JWT Tokens in usememos/memos
Improper Access Control in GitHub repository usememos/memos prior to 0.13.2. As of commit `c9aa2eeb9` access tokens which fail validation are rejected.
ghsaosv
CVE-2022-4803P3HIGH≥ 0, < 0.9.12022-12-28
CVE-2022-4803 [HIGH] CWE-284 usememos/memos Improper Access Control vulnerability
usememos/memos Improper Access Control vulnerability
usememos/memos 0.9.0 and prior is vulnerable to Improper Access Control.
ghsaosv
CVE-2024-21635P3HIGH≥ 0, < 0.18.22025-11-14
CVE-2024-21635 [HIGH] CWE-287 Memos' Access Tokens Stay Valid after User Password Change
Memos' Access Tokens Stay Valid after User Password Change
### Summary
Access Tokens are used to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password.
The bad actor though will still have access to their account because the bad actor's Ac
ghsaosv
CVE-2023-4697P3HIGH≥ 0, < 0.13.22023-09-01
CVE-2023-4697 [HIGH] CWE-269 usememos/memos vulnerable to privilege escalation
usememos/memos vulnerable to privilege escalation
Improper Privilege Management in GitHub repository usememos/memos prior to 0.13.2.
ghsaosv
CVE-2022-4688P3HIGH≥ 0, < 0.9.02022-12-23
CVE-2022-4688 [HIGH] CWE-285 usememos/memos vulnerable to improper authorization
usememos/memos vulnerable to improper authorization
usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Memos versions prior to 0.9.0 are vulnerable to improper authorization, which can allow a user to modify the nickname, username and email of other users without permission.
ghsaosv
CVE-2026-6634P3LOW≥ 0, ≤ 0.22.12026-04-20
CVE-2026-6634 [LOW] CWE-266 Memos has an Incorrect Privilege Assignment issue
Memos has an Incorrect Privilege Assignment issue
A weakness has been identified in usememos memos up to 0.22.1. This affects the function memos_access_token of the file src/App.tsx of the component UpdateInstanceSetting. This manipulation of the argument additionalStyle/additionalScript causes improper authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public
ghsa
CVE-2022-4686P3CRITICAL≥ 0, < 0.9.02022-12-23
CVE-2022-4686 [CRITICAL] CWE-639 usememos/memos Authorization Bypass Through User-Controlled Key vulnerability
usememos/memos Authorization Bypass Through User-Controlled Key vulnerability
Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.0.
ghsaosv
CVE-2022-4808P3HIGH≥ 0, < 0.9.12022-12-28
CVE-2022-4808 [HIGH] CWE-269 usememos/memos Improper Privilege Management vulnerability
usememos/memos Improper Privilege Management vulnerability
Improper Privilege Management in GitHub repository usememos/memos prior to 0.9.1.
ghsaosv
CVE-2022-4687P3HIGH≥ 0, < 0.9.02022-12-23
CVE-2022-4687 [HIGH] CWE-269 usememos/memos makes Incorrect Use of Privileged APIs
usememos/memos makes Incorrect Use of Privileged APIs
Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.0.
ghsaosv
CVE-2022-4796P3HIGH≥ 0, < 0.9.12022-12-28
CVE-2022-4796 [HIGH] CWE-648 usememos/memos makes Incorrect Use of Privileged APIs
usememos/memos makes Incorrect Use of Privileged APIs
In usememos/memos 0.9.0 and prior, a user with login permission can delete all notes of the whole application via `API DELETE https://demo.usememos.com/api/memo/$idnote`. The vulnerability will lose all user notes data throughout the system, causing damage to user data.
ghsaosv
1 / 4Next →