Skip to main content

usememos Memos CVE-2026-30586

| EUVDEUVD-2026-34018 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-02 mitre GHSA-v69f-jf53-66f6
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 18:25 vuln.today
CVSS changed
Jun 03, 2026 - 18:22 NVD
6.1 (MEDIUM)
CVE Published
Jun 02, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Cross Site Scripting vulnerability in usememos Memos v.0.26.0 allows a remote attacker to obtain sensitive information via the SANITIZE_SCHEMA, Memo Rendering Component, and Public/Private Memo View pages

AnalysisAI

Cross-site scripting in usememos Memos v.0.26.0 allows remote unauthenticated attackers to inject malicious scripts that execute in victims' browsers by exploiting insufficient sanitization in the SANITIZE_SCHEMA configuration within the MemoContent rendering component. Publicly available exploit code exists (PoC gist by gabdevele). Both Public and Private Memo View pages are affected, enabling sensitive information disclosure and limited content manipulation across the changed scope boundary. EPSS stands at 0.05% (17th percentile), indicating low widespread exploitation probability despite the PoC's existence.

Technical ContextAI

Memos is a lightweight, self-hosted note-taking application by usememos. The vulnerability resides in the client-side memo rendering pipeline, specifically in the SANITIZE_SCHEMA defined at web/src/components/MemoContent/constants.ts (line 30). CWE-79 (Improper Neutralization of Input During Web Page Generation) applies: user-controlled input submitted as memo content is not adequately sanitized before being rendered as HTML in both Public and Private Memo View contexts. The Changed Scope (S:C) in the CVSS vector indicates the injected script can affect resources beyond the originating memo context - consistent with stored XSS that persists across page views and can target other authenticated users who load the memo. The CPE data provided is non-specific (n/a), but the affected product is confirmed as usememos Memos v.0.26.0 based on the CVE description and referenced source commit.

RemediationAI

No vendor-released patch has been identified at time of analysis - no patched version number is present in any of the provided references. The primary actionable step is to monitor the usememos/memos GitHub repository for a fix addressing the SANITIZE_SCHEMA in web/src/components/MemoContent/constants.ts. As a compensating control, administrators should restrict public memo creation to authenticated and trusted users only, eliminating the unauthenticated (PR:N) attack path; this trade-off reduces functionality for open/public instances but significantly reduces exposure. Additionally, deploying a Content Security Policy (CSP) header with a restrictive script-src directive at the reverse proxy or web server layer can prevent injected scripts from executing even if the XSS payload is delivered, though this may break legitimate inline script functionality if the app relies on it. Review instance exposure: if the Memos instance is internet-facing with open registration or public memo viewing, consider temporarily restricting access until a patch is available.

Share

CVE-2026-30586 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy