cbcvebase.

Usememos Memos vulnerabilities

73 known vulnerabilities affecting usememos/memos.

Total CVEs
73
CISA KEV
0
Public exploits
5
Exploited in wild
4
Severity breakdown
CRITICAL6HIGH16MEDIUM51

Vulnerabilities

Page 2 of 4
CVE-2022-4796P3HIGHCVSS 8.1fixed in 0.9.12022-12-28
CVE-2022-4796 [HIGH] CWE-648 CVE-2022-4796: Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1. Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1.
nvd
CVE-2023-5036P3HIGHCVSS 8.8fixed in 0.15.12023-09-18
CVE-2023-5036 [HIGH] CWE-352 CVE-2023-5036: Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.15.1. Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.15.1.
nvd
CVE-2022-4844P3HIGHCVSS 8.8fixed in 0.9.12022-12-29
CVE-2022-4844 [HIGH] CWE-352 CVE-2022-4844: Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
nvd
CVE-2022-4866P4CRITICALCVSS 9.0fixed in 0.9.12022-12-31
CVE-2022-4866 [CRITICAL] CWE-79 CVE-2022-4866: Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1. Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.
nvd
CVE-2022-4865P4CRITICALCVSS 9.0fixed in 0.9.12022-12-31
CVE-2022-4865 [CRITICAL] CWE-79 CVE-2022-4865: Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1. Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.
nvd
CVE-2022-4812P4MEDIUMCVSS 6.5fixed in 0.9.12022-12-28
CVE-2022-4812 [MEDIUM] CWE-639 CVE-2022-4812: Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.
nvd
CVE-2025-65797P4MEDIUMCVSS 6.5v0.25.22025-12-08
CVE-2025-65797 [MEDIUM] CWE-284 CVE-2025-65797: Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS).
nvd
CVE-2022-4767P4HIGHCVSS 7.5fixed in 0.9.12022-12-27
CVE-2022-4767 [HIGH] CWE-400 CVE-2022-4767: Denial of Service in GitHub repository usememos/memos prior to 0.9.1. Denial of Service in GitHub repository usememos/memos prior to 0.9.1.
nvd
CVE-2022-4799P4MEDIUMCVSS 6.5fixed in 0.9.12022-12-28
CVE-2022-4799 [MEDIUM] CWE-639 CVE-2022-4799: Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.
nvd
CVE-2025-65798P4MEDIUMCVSS 5.4v0.25.22025-12-08
CVE-2025-65798 [MEDIUM] CWE-284 CVE-2025-65798: Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arb Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.
nvd
CVE-2022-4863P4MEDIUMCVSS 6.5fixed in 0.9.12022-12-30
CVE-2022-4863 [MEDIUM] CWE-280 CVE-2022-4863: Improper Handling of Insufficient Permissions or Privileges in GitHub repository usememos/memos prio Improper Handling of Insufficient Permissions or Privileges in GitHub repository usememos/memos prior to 0.9.1.
nvd
CVE-2022-4683P4MEDIUMCVSS 6.5fixed in 0.9.02022-12-23
CVE-2022-4683 [MEDIUM] CWE-614 CVE-2022-4683: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos pri Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0.
nvd
CVE-2025-56760P4MEDIUMCVSS 4.3v0.22.02025-09-03
CVE-2025-56760 [MEDIUM] CWE-24 CVE-2025-56760: When Memos 0.22 is configured to store objects locally, an attacker can create a file via the Create When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.
nvd
CVE-2022-4849P4MEDIUMCVSS 6.5fixed in 0.9.12022-12-29
CVE-2022-4849 [MEDIUM] CWE-352 CVE-2022-4849: Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
nvd
CVE-2022-4850P4MEDIUMCVSS 6.5fixed in 0.9.12022-12-29
CVE-2022-4850 [MEDIUM] CWE-352 CVE-2022-4850: Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
nvd
CVE-2022-4811P4MEDIUMCVSS 5.4fixed in 0.9.12022-12-28
CVE-2022-4811 [MEDIUM] CWE-639 CVE-2022-4811: Authorization Bypass Through User-Controlled Key vulnerability in usememos usememos/memos.This issue Authorization Bypass Through User-Controlled Key vulnerability in usememos usememos/memos.This issue affects usememos/memos before 0.9.1.
nvd
CVE-2025-56761P4MEDIUMCVSS 5.4v0.22.02025-09-03
CVE-2025-56761 [MEDIUM] CWE-79 CVE-2025-56761: Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachme Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.
nvd
CVE-2022-4847P4MEDIUMCVSS 6.5fixed in 0.9.12022-12-29
CVE-2022-4847 [MEDIUM] CWE-941 CVE-2022-4847: Incorrectly Specified Destination in a Communication Channel in GitHub repository usememos/memos pri Incorrectly Specified Destination in a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.
nvd
CVE-2022-4800P4MEDIUMCVSS 6.5fixed in 0.9.12022-12-28
CVE-2022-4800 [MEDIUM] CWE-940 CVE-2022-4800: Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos prior Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.
nvd
CVE-2022-4846P4MEDIUMCVSS 6.5fixed in 0.9.12022-12-29
CVE-2022-4846 [MEDIUM] CWE-352 CVE-2022-4846: Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
nvd
Usememos Memos vulnerabilities | cvebase