Gophish
by Gophish
Source repositories
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-55196 | Hig | 0.49 | 7.5 | 0.00 | Dec 19, 2024 | Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers. | ||
| CVE-2020-24713 | Hig | 0.49 | 7.5 | 0.01 | Oct 28, 2020 | Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. | ||
| CVE-2022-45003 | Hig | 0.42 | 7.5 | 0.01 | Mar 22, 2023 | Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus. | ||
| CVE-2020-24709 | Med | 0.35 | 5.4 | 0.01 | Oct 28, 2020 | Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template. | ||
| CVE-2022-45004 | Med | 0.33 | 6.1 | 0.01 | Mar 22, 2023 | Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page. | ||
| CVE-2024-2211 | Med | 0.30 | 4.6 | 0.00 | Mar 6, 2024 | Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. This vulnerability could allow an attacker to store a malicious JavaScript payload in the campaign menu and trigger the payload when the campaign is removed from the menu. | ||
| CVE-2022-25295 | Med | 0.28 | 5.4 | 0.01 | Sep 11, 2022 | This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts… | ||
| CVE-2026-39904 | 0.00 | — | 0.00 | Jun 22, 2026 | Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes… | |||
| CVE-2025-70963 | 0.00 | — | 0.00 | Feb 6, 2026 | Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the… | |||
| CVE-2020-24712 | Med | 0.00 | 5.4 | 0.01 | Oct 28, 2020 | Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page. | ||
| CVE-2020-24711 | Med | 0.00 | 6.5 | 0.02 | Oct 28, 2020 | The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack | ||
| CVE-2020-24708 | Med | 0.00 | 5.4 | 0.01 | Oct 28, 2020 | Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form. | ||
| CVE-2020-24707 | Hig | 0.00 | 7.8 | 0.01 | Oct 28, 2020 | Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content. |
- risk 0.49cvss 7.5epss 0.00
Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers.
- risk 0.49cvss 7.5epss 0.01
Gophish through 0.10.1 does not invalidate the gophish cookie upon logout.
- risk 0.42cvss 7.5epss 0.01
Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus.
- risk 0.35cvss 5.4epss 0.01
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.
- risk 0.33cvss 6.1epss 0.01
Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page.
- risk 0.30cvss 4.6epss 0.00
Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. This vulnerability could allow an attacker to store a malicious JavaScript payload in the campaign menu and trigger the payload when the campaign is removed from the menu.
- risk 0.28cvss 5.4epss 0.01
This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts…
- CVE-2026-39904Jun 22, 2026risk 0.00cvss —epss 0.00
Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes…
- CVE-2025-70963Feb 6, 2026risk 0.00cvss —epss 0.00
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the…
- risk 0.00cvss 5.4epss 0.01
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page.
- risk 0.00cvss 6.5epss 0.02
The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack
- risk 0.00cvss 5.4epss 0.01
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.
- risk 0.00cvss 7.8epss 0.01
Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content.