CVE-2026-30586
Description
Stored XSS in Memos allows authenticated users to inject styled iframes, leading to UI redressing and potential credential theft.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Memos allows authenticated users to inject styled iframes, leading to UI redressing and potential credential theft.
Vulnerability
A Stored Cross-Site Scripting (XSS) vulnerability exists in usememos Memos versions up to and including 0.26.0. The Markdown renderer's sanitization schema incorrectly permits style attributes on span elements and unsandboxed iframe embeds. This allows specially crafted HTML content to be injected into memos.
Exploitation
An authenticated attacker can post a memo containing a span element with a style attribute set to position:fixed;top:0;left:0;width:100vw;height:100vh;z-index:999999;background:var(--background); and an iframe element without a sandbox attribute, pointing to an attacker-controlled domain. When another user views this memo, the injected content will cover the entire application viewport, displaying the attacker's content while the browser address bar shows the legitimate domain [1].
Impact
Successful exploitation allows an attacker to perform UI redressing and potentially steal user credentials. By presenting a convincing, spoofed login prompt that perfectly matches the legitimate application's appearance and domain, a victim user is likely to be tricked into entering their login details [1].
Mitigation
Not yet disclosed in the available references. The vulnerability is present in Memos versions up to and including 0.26.0 [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Markdown renderer's sanitization schema permits style attributes on span elements and unsandboxed iframe embeds."
Attack vector
An authenticated user can post a memo containing a specially crafted HTML payload. This payload leverages the `style` attribute on `span` elements for CSS positioning and `iframe` elements without a `sandbox` attribute. When another user views this memo, the embedded content can cover the entire application viewport, presenting a spoofed login prompt that appears legitimate due to the correct domain in the browser's address bar [ref_id=1].
Affected code
The vulnerability stems from the `SANITIZE_SCHEMA` configuration within the rehype-sanitize library, specifically the allowance of the `style` attribute on `span` elements and the inclusion of `iframe` elements without a `sandbox` attribute in the default schema [ref_id=1].
What the fix does
The advisory does not specify a patch or provide remediation guidance. Therefore, the vulnerability remains unpatched according to the provided information.
Preconditions
- authThe attacker must have authenticated access to post a memo.
- inputThe attacker must craft and submit a memo containing malicious HTML and iframe elements.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.