VYPR
Vendor

Gophish

Products
1
CVEs
13
Across products
13
Status
Private

Products

1

Recent CVEs

13
  • CVE-2024-55196HigDec 19, 2024
    risk 0.49cvss 7.5epss 0.00

    Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers.

  • CVE-2026-39904Jun 22, 2026
    risk 0.00cvss epss 0.00

    Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function in models/attachment.go processes…

  • CVE-2025-70963Feb 6, 2026
    risk 0.00cvss epss 0.00

    Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the…

  • CVE-2024-2211Mar 6, 2024
    risk 0.00cvss epss 0.00

    Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. This vulnerability could allow an attacker to store a malicious JavaScript payload in the campaign menu and trigger the payload when the campaign is removed from the menu.

  • CVE-2022-45003Mar 22, 2023
    risk 0.00cvss epss 0.01

    Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus.

  • CVE-2022-45004Mar 22, 2023
    risk 0.00cvss epss 0.01

    Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page.

  • CVE-2022-25295Sep 11, 2022
    risk 0.00cvss epss 0.01

    This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts…

  • CVE-2020-24707Oct 28, 2020
    risk 0.00cvss epss 0.01

    Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content.

  • CVE-2020-24713Oct 28, 2020
    risk 0.00cvss epss 0.01

    Gophish through 0.10.1 does not invalidate the gophish cookie upon logout.

  • CVE-2020-24711Oct 28, 2020
    risk 0.00cvss epss 0.02

    The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack

  • CVE-2020-24712Oct 28, 2020
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page.

  • CVE-2020-24709Oct 28, 2020
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.

  • CVE-2020-24708Oct 28, 2020
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.