CVE-2025-56761

MEDIUM

memos 0.22 - Authenticated Stored Cross-Site Scripting via Uploaded Attachment or Avatar

Title source: llm
STIX 2.1

Description

Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.

Scores

CVSS v3 5.4
EPSS 0.0024
EPSS Percentile 14.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
usememos/memos 0.22.0
usememos/memos 0Go
Published Sep 03, 2025
Tracked Since Feb 18, 2026