Is there a public PoC exploit available for CVE-2026-6634?

Yes, a public proof-of-concept exploit is available for CVE-2026-6634. Prioritise patching immediately. EPSS: 0.0%.

Memos CVE-2026-6634

Q: What is the CVSS score of CVE-2026-6634?

CVE-2026-6634 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23838 LOW

Improper Authorization (CWE-285)

2026-04-20 VulDB

GHSA-gqp3-hfc3-8q54

Authentication Bypass Memos

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:12 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:12 NVD

5.3 (MEDIUM) 2.1 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

CVSS changed

Apr 20, 2026 - 12:22 NVD

6.3 (MEDIUM) 5.3 (MEDIUM)

Analysis Generated

Apr 20, 2026 - 12:15 vuln.today

EUVD ID Assigned

Apr 20, 2026 - 12:00 euvd

EUVD-2026-23838

Analysis Generated

Apr 20, 2026 - 12:00 vuln.today

CVE Published

Apr 20, 2026 - 11:30 nvd

LOW 2.1

DescriptionCVE.org

A weakness has been identified in usememos memos up to 0.22.1. This affects the function memos_access_token of the file src/App.tsx of the component UpdateInstanceSetting. This manipulation of the argument additionalStyle/additionalScript causes improper authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Improper authorization in usememos memos up to version 0.22.1 allows authenticated remote attackers to bypass access controls via manipulation of additionalStyle and additionalScript arguments in the UpdateInstanceSetting component, potentially leading to unauthorized information disclosure, modification, and service disruption. The vulnerability has publicly available exploit code and affects the memos_access_token function in src/App.tsx. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Compromise or obtain valid memos user credentials

Delivery

Authenticate to memos application

Exploit

Access UpdateInstanceSetting endpoint

Install

Inject malicious additionalStyle or additionalScript payload

Bypass authorization validation

Execute

Modify memos or escalate privileges

Impact

Unauthorized data access or account compromise