Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Cross Site Scripting vulnerability in usememos Memos v.0.26.0 allows a remote attacker to obtain sensitive information via the SANITIZE_SCHEMA, Memo Rendering Component, and Public/Private Memo View pages
AnalysisAI
Cross-site scripting in usememos Memos v.0.26.0 allows remote unauthenticated attackers to inject malicious scripts that execute in victims' browsers by exploiting insufficient sanitization in the SANITIZE_SCHEMA configuration within the MemoContent rendering component. Publicly available exploit code exists (PoC gist by gabdevele). Both Public and Private Memo View pages are affected, enabling sensitive information disclosure and limited content manipulation across the changed scope boundary. EPSS stands at 0.05% (17th percentile), indicating low widespread exploitation probability despite the PoC's existence.
Technical ContextAI
Memos is a lightweight, self-hosted note-taking application by usememos. The vulnerability resides in the client-side memo rendering pipeline, specifically in the SANITIZE_SCHEMA defined at web/src/components/MemoContent/constants.ts (line 30). CWE-79 (Improper Neutralization of Input During Web Page Generation) applies: user-controlled input submitted as memo content is not adequately sanitized before being rendered as HTML in both Public and Private Memo View contexts. The Changed Scope (S:C) in the CVSS vector indicates the injected script can affect resources beyond the originating memo context - consistent with stored XSS that persists across page views and can target other authenticated users who load the memo. The CPE data provided is non-specific (n/a), but the affected product is confirmed as usememos Memos v.0.26.0 based on the CVE description and referenced source commit.
RemediationAI
No vendor-released patch has been identified at time of analysis - no patched version number is present in any of the provided references. The primary actionable step is to monitor the usememos/memos GitHub repository for a fix addressing the SANITIZE_SCHEMA in web/src/components/MemoContent/constants.ts. As a compensating control, administrators should restrict public memo creation to authenticated and trusted users only, eliminating the unauthenticated (PR:N) attack path; this trade-off reduces functionality for open/public instances but significantly reduces exposure. Additionally, deploying a Content Security Policy (CSP) header with a restrictive script-src directive at the reverse proxy or web server layer can prevent injected scripts from executing even if the XSS payload is delivered, though this may break legitimate inline script functionality if the app relies on it. Review instance exposure: if the Memos instance is internet-facing with open registration or public memo viewing, consider temporarily restricting access until a patch is available.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34018
GHSA-v69f-jf53-66f6