CVE-2022-25978

MEDIUM
Published Feb 15, 20233y ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Feb 15, 2023 3y ago
Last Modified Jun 17, 2026 2w ago

Description

All versions of the package github.com/usememos/memos/server are vulnerable to Cross-site Scripting (XSS) due to insufficient checks on external resources, which allows malicious actors to introduce links starting with a javascript: scheme.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
usememosmemos*any

References 3

  • github.com https://github.com/usememos/memos/commit/b11d2130a084385eb65c3761a3c841ebe9f81ae8
    Patch
  • github.com https://github.com/usememos/memos/issues/1026
    Exploit
  • security.snyk.io https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUSEMEMOSMEMOSSERVER-3319070
    ExploitIssue TrackingPatchThird Party Advisory

Remediation

  • github.com https://github.com/usememos/memos/commit/b11d2130a084385eb65c3761a3c841ebe9f81ae8
    Patch
  • security.snyk.io https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUSEMEMOSMEMOSSERVER-3319070
    ExploitIssue TrackingPatchThird Party Advisory