Every CVE whose affected-product data names Usememos Memos, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (73)
CVE-2025-50738 — CVSS 9.8 (critical): The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo…
CVE-2025-22952 — CVSS 9.8 (critical): elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can…
CVE-2022-4734 — CVSS 8.1 (high): Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository usememos/memos prior to 0.9.1.
CVE-2024-41659 — CVSS 8.1 (high): memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary…
CVE-2025-65795 — CVSS 7.5 (high): Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts…
CVE-2024-21635 — CVSS 7.5 (high): Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. When a user changes…
CVE-2022-4800 — CVSS 6.5 (medium): Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.
CVE-2022-4683 — CVSS 6.5 (medium): Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0.
CVE-2022-4847 — CVSS 6.5 (medium): Incorrectly Specified Destination in a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.
CVE-2022-4799 — CVSS 6.5 (medium): Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.
CVE-2025-65797 — CVSS 6.5 (medium): Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to…
CVE-2022-4863 — CVSS 6.5 (medium): Improper Handling of Insufficient Permissions or Privileges in GitHub repository usememos/memos prior to 0.9.1.
CVE-2024-29029 — CVSS 6.1 (medium): memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows…
CVE-2024-29030 — CVSS 5.8 (medium): memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /api/resource that allows…
CVE-2024-29028 — CVSS 5.8 (medium): memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows…
CVE-2022-4848 — CVSS 5.7 (medium): Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.
CVE-2023-0109 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability was discovered in usememos/memos version 0.9.1. This vulnerability allows an attacker to…
CVE-2022-25978 — CVSS 5.4 (medium): All versions of the package github.com/usememos/memos/server are vulnerable to Cross-site Scripting (XSS) due to insufficient checks on…
CVE-2025-56761 — CVSS 5.4 (medium): Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does…
CVE-2025-65798 — CVSS 5.4 (medium): Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments…
CVE-2022-4798 — CVSS 5.3 (medium): Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.
CVE-2025-56760 — CVSS 4.3 (medium): When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path…
CVE-2025-65799 — CVSS 4.3 (medium): A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to execute a path…
CVE-2025-65796 — CVSS 4.3 (medium): Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other…
CVE-2022-4797 — CVSS 4.3 (medium): Improper Restriction of Excessive Authentication Attempts in GitHub repository usememos/memos prior to 0.9.1.