Gophish
Products
1- 13 CVEs
Recent CVEs
13| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-55196 | Hig | 0.49 | 7.5 | 0.00 | Dec 19, 2024 | Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers. | ||
| CVE-2026-39904 | 0.00 | — | 0.00 | Jun 22, 2026 | Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes… | |||
| CVE-2025-70963 | 0.00 | — | 0.00 | Feb 6, 2026 | Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the… | |||
| CVE-2024-2211 | 0.00 | — | 0.00 | Mar 6, 2024 | Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. This vulnerability could allow an attacker to store a malicious JavaScript payload in the campaign menu and trigger the payload when the campaign is removed from the menu. | |||
| CVE-2022-45003 | 0.00 | — | 0.01 | Mar 22, 2023 | Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus. | |||
| CVE-2022-45004 | 0.00 | — | 0.01 | Mar 22, 2023 | Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page. | |||
| CVE-2022-25295 | 0.00 | — | 0.01 | Sep 11, 2022 | This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts… | |||
| CVE-2020-24707 | 0.00 | — | 0.01 | Oct 28, 2020 | Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content. | |||
| CVE-2020-24713 | 0.00 | — | 0.01 | Oct 28, 2020 | Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. | |||
| CVE-2020-24711 | 0.00 | — | 0.02 | Oct 28, 2020 | The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack | |||
| CVE-2020-24712 | 0.00 | — | 0.01 | Oct 28, 2020 | Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page. | |||
| CVE-2020-24709 | 0.00 | — | 0.01 | Oct 28, 2020 | Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template. | |||
| CVE-2020-24708 | 0.00 | — | 0.01 | Oct 28, 2020 | Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form. |
- risk 0.49cvss 7.5epss 0.00
Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers.
- CVE-2026-39904Jun 22, 2026risk 0.00cvss —epss 0.00
Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes…
- CVE-2025-70963Feb 6, 2026risk 0.00cvss —epss 0.00
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the…
- CVE-2024-2211Mar 6, 2024risk 0.00cvss —epss 0.00
Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. This vulnerability could allow an attacker to store a malicious JavaScript payload in the campaign menu and trigger the payload when the campaign is removed from the menu.
- CVE-2022-45003Mar 22, 2023risk 0.00cvss —epss 0.01
Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus.
- CVE-2022-45004Mar 22, 2023risk 0.00cvss —epss 0.01
Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page.
- CVE-2022-25295Sep 11, 2022risk 0.00cvss —epss 0.01
This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts…
- CVE-2020-24707Oct 28, 2020risk 0.00cvss —epss 0.01
Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content.
- CVE-2020-24713Oct 28, 2020risk 0.00cvss —epss 0.01
Gophish through 0.10.1 does not invalidate the gophish cookie upon logout.
- CVE-2020-24711Oct 28, 2020risk 0.00cvss —epss 0.02
The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack
- CVE-2020-24712Oct 28, 2020risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page.
- CVE-2020-24709Oct 28, 2020risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.
- CVE-2020-24708Oct 28, 2020risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.