Usememos
Products
1- 11 CVEs
Recent CVEs
11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-30586 | Med | 0.33 | 6.1 | 0.00 | Jun 2, 2026 | Cross Site Scripting vulnerability in usememos Memos v.0.26.0 allows a remote attacker to obtain sensitive information via the SANITIZE_SCHEMA, Memo Rendering Component, and Public/Private Memo View pages | ||
| CVE-2025-65797 | 0.00 | — | 0.00 | Dec 8, 2025 | Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS). | |||
| CVE-2025-65799 | 0.00 | — | 0.00 | Dec 8, 2025 | A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to execute a path traversal. | |||
| CVE-2025-65796 | 0.00 | — | 0.00 | Dec 8, 2025 | Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos. | |||
| CVE-2025-65795 | 0.00 | — | 0.00 | Dec 8, 2025 | Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request. | |||
| CVE-2025-65798 | 0.00 | — | 0.00 | Dec 8, 2025 | Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users. | |||
| CVE-2024-21635 | 0.00 | — | 0.00 | Nov 14, 2025 | Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised,… | |||
| CVE-2024-41659 | 0.00 | — | 0.01 | Aug 20, 2024 | memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request,… | |||
| CVE-2024-29029 | 0.00 | — | 0.01 | Apr 19, 2024 | memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the… | |||
| CVE-2024-29028 | 0.00 | — | 0.01 | Apr 19, 2024 | memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows unauthenticated users to enumerate the internal network and receive limited html values in json form. This vulnerability is fixed in 0.16.1. | |||
| CVE-2024-29030 | 0.00 | — | 0.01 | Apr 19, 2024 | memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /api/resource that allows authenticated users to enumerate the internal network. Version 0.22.0 of memos removes the vulnerable file. |
- risk 0.33cvss 6.1epss 0.00
Cross Site Scripting vulnerability in usememos Memos v.0.26.0 allows a remote attacker to obtain sensitive information via the SANITIZE_SCHEMA, Memo Rendering Component, and Public/Private Memo View pages
- CVE-2025-65797Dec 8, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS).
- CVE-2025-65799Dec 8, 2025risk 0.00cvss —epss 0.00
A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to execute a path traversal.
- CVE-2025-65796Dec 8, 2025risk 0.00cvss —epss 0.00
Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos.
- CVE-2025-65795Dec 8, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.
- CVE-2025-65798Dec 8, 2025risk 0.00cvss —epss 0.00
Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.
- CVE-2024-21635Nov 14, 2025risk 0.00cvss —epss 0.00
Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised,…
- CVE-2024-41659Aug 20, 2024risk 0.00cvss —epss 0.01
memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request,…
- CVE-2024-29029Apr 19, 2024risk 0.00cvss —epss 0.01
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the…
- CVE-2024-29028Apr 19, 2024risk 0.00cvss —epss 0.01
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows unauthenticated users to enumerate the internal network and receive limited html values in json form. This vulnerability is fixed in 0.16.1.
- CVE-2024-29030Apr 19, 2024risk 0.00cvss —epss 0.01
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /api/resource that allows authenticated users to enumerate the internal network. Version 0.22.0 of memos removes the vulnerable file.