CVE-2025-56761

Published: Sep 3, 2025

Modified: Sep 4, 2025

PUBLISHED

Description

Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/usememos/memos/blob/v0.24.4/server/router/api/v1/resource_service.go#L48

https://github.com/usememos/memos/blob/v0.24.0/server/router/api/v1/user_service.go#L147

https://www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examples/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-56761

Description

Affected Products

References