Home > Vulnerability Database > CVE-2025-56761

Mend.io Vulnerability Database

CVE-2025-56761

Good to know:

Date: September 2, 2025

Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.

Severity Score

5.4

Related Resources (8)

Url: https://www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examples

Url: https://github.com/usememos/memos/blob/v0.24.0/server/router/api/v1/user_service.go#L147

Url: https://github.com/usememos/memos/blob/v0.24.4/server/router/api/v1/resource_service.go#L48

Url: https://github.com/usememos/memos

Url: https://github.com/advisories/GHSA-cgrg-86m5-xm4w

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-56761

Url: https://www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examples/

Url: https://www.mend.io/vulnerability-database/CVE-2025-56761

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version github.com/usememos/memos - no_fix

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-56761

Good to know:

Date: September 2, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?