Description
Cross Site Scripting vulnerability in usememos Memos v.0.26.0 allows a remote attacker to obtain sensitive information via the SANITIZE_SCHEMA, Memo Rendering Component, and Public/Private Memo View pages
Published: 2026-06-02
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a client‑side Cross‑Site Scripting (XSS) flaw that exists in usememos Memos v0.26.0. An attacker can inject malicious JavaScript into a memo’s content. When the memo is rendered in the Memo Rendering Component, in the SANITIZE_SCHEMA step, or while viewing a memo via the Public/Private Memo View pages, the injected script is executed in the victim’s browser context. This allows the attacker to steal session cookies, read other memo data, or perform actions on behalf of the user. The weakness corresponds to CWE‑79, which is a classic input‑validation issue that results in script injection.

Affected Systems

The flaw is present only in usememos Memos version 0.26.0. No other products or versions were identified as affected in the available data.

Risk and Exploitability

The EPSS score is not disclosed, and the vulnerability is not listed in the CISA KEV catalog, indicating that publicly known exploits have not yet been observed. Nevertheless, the ability to execute arbitrary scripts in the end‑user’s browser represents a serious risk, especially in environments where memos are publicly viewable or shared. A remote attacker can craft a memo with malicious payloads and persuade a user to open it, leading to potential data theft or credential compromise. Because the vulnerability operates across the web interface, the attack vector is inferred to be Remote (Web).

Generated by OpenCVE AI on June 3, 2026 at 04:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of Memos or apply the vendor’s patch that corrects the input sanitization logic.
  • If an immediate upgrade is not possible, restrict use of the public memo view feature or enforce strict access controls so that only trusted users can view memo content.
  • As a temporary workaround, manually review memo content for disallowed tags or scripts before rendering them to users.

Generated by OpenCVE AI on June 3, 2026 at 04:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Usememos
Usememos memos
Vendors & Products Usememos
Usememos memos

Wed, 03 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via Memo Content Rendering in Memos 0.26.0
Weaknesses CWE-79

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Cross Site Scripting vulnerability in usememos Memos v.0.26.0 allows a remote attacker to obtain sensitive information via the SANITIZE_SCHEMA, Memo Rendering Component, and Public/Private Memo View pages
References

Subscriptions

Usememos Memos
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T16:17:34.883Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30586

cve-icon Vulnrichment

Updated: 2026-06-03T16:17:31.257Z

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:34.087

Modified: 2026-06-02T20:16:34.087

Link: CVE-2026-30586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T05:15:25Z

Weaknesses