CVE-2025-56761
Description
Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memos 0.22 stored XSS via unverified content type in uploads lets an authenticated attacker escalate to admin-level compromise.
Vulnerability
Overview
Memos 0.22 is vulnerable to stored cross-site scripting (XSS) through its attachment upload and user avatar features. The application fails to verify the content type of uploaded data and serves the file back to users as-is, allowing an attacker to upload arbitrary HTML or JavaScript content [1][2].
Exploitation
Prerequisites
An attacker must be authenticated to the Memos instance. The upload endpoint does not perform any content-type validation, so a malicious file (e.g., an HTML file containing JavaScript) can be uploaded as an attachment or avatar. When an administrator views the uploaded content—for example, by opening the attachment or loading the attacker's avatar—the injected script executes in the admin's browser session [1][2].
Impact
Successful exploitation enables the attacker to perform actions with the privileges of the viewing admin. This can lead to full platform compromise, including data exfiltration, account manipulation, or further server-side attacks if the admin session is leveraged [1].
Mitigation
Status
Memos maintainers did not respond to responsible disclosure; Sonar published the findings under its 90-day disclosure policy [1]. As of the latest available code (v0.24.4), the vulnerability remains unpatched. Organizations are advised to restrict access to Memos to trusted users only until a fix is released [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/usememos/memosGo | <= 0.22.0 | — |
Affected products
2- Memos/Memosdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-cgrg-86m5-xm4wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-56761ghsaADVISORY
- github.com/usememos/memos/blob/v0.24.0/server/router/api/v1/user_service.goghsaWEB
- github.com/usememos/memos/blob/v0.24.4/server/router/api/v1/resource_service.goghsaWEB
- www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examplesghsaWEB
- www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examples/mitre
News mentions
0No linked articles in our index yet.