VYPR

Gophish

by Gophish

Source repositories

CVEs (13)

  • CVE-2024-55196HigDec 19, 2024
    risk 0.49cvss 7.5epss 0.00

    Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers.

  • CVE-2020-24713HigOct 28, 2020
    risk 0.49cvss 7.5epss 0.01

    Gophish through 0.10.1 does not invalidate the gophish cookie upon logout.

  • CVE-2022-45003HigMar 22, 2023
    risk 0.42cvss 7.5epss 0.01

    Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus.

  • CVE-2020-24709MedOct 28, 2020
    risk 0.35cvss 5.4epss 0.01

    Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.

  • CVE-2022-45004MedMar 22, 2023
    risk 0.33cvss 6.1epss 0.01

    Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page.

  • CVE-2024-2211MedMar 6, 2024
    risk 0.30cvss 4.6epss 0.00

    Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. This vulnerability could allow an attacker to store a malicious JavaScript payload in the campaign menu and trigger the payload when the campaign is removed from the menu.

  • CVE-2022-25295MedSep 11, 2022
    risk 0.28cvss 5.4epss 0.01

    This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts…

  • CVE-2026-39904Jun 22, 2026
    risk 0.00cvss epss 0.00

    Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes…

  • CVE-2025-70963Feb 6, 2026
    risk 0.00cvss epss 0.00

    Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the…

  • CVE-2020-24712MedOct 28, 2020
    risk 0.00cvss 5.4epss 0.01

    Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page.

  • CVE-2020-24711MedOct 28, 2020
    risk 0.00cvss 6.5epss 0.02

    The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack

  • CVE-2020-24708MedOct 28, 2020
    risk 0.00cvss 5.4epss 0.01

    Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.

  • CVE-2020-24707HigOct 28, 2020
    risk 0.00cvss 7.8epss 0.01

    Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content.