CVE-2025-70963

HIGH

Gophish < 0.12.1 - Information Disclosure

Title source: rule

Description

Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context.

References (1)

[Exploit, Vendor Advisory, Issue Tracking] https://github.com/gophish/gophish/issues/9366

Scores

CVSS v3 7.6

EPSS 0.0002

EPSS Percentile 4.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-922 CWE-200

Status published

Products (2)

getgophish/gophish < 0.12.1

gophish/gophish 0Go

Published Feb 06, 2026

Tracked Since Feb 18, 2026