Skip to main content

Shiori

2 CVEs product

Monthly

CVE-2026-61463 HIGH PATCH This Week

Vertical privilege escalation in Shiori (go-shiori), the self-hosted Go bookmark manager, lets any authenticated low-privilege user promote themselves to administrator. By sending a crafted PATCH request to the /api/v1/auth/account update endpoint with owner: true - a field that lacked an authorization check - the user flips their own owner flag, then re-authenticates to receive an admin JWT granting full system access. Disclosed by VulnCheck with a vendor fix committed upstream; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation Shiori
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2025-60538 Go MEDIUM This Month

A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack. [CVSS 6.5 MEDIUM]

Authentication Bypass Shiori Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Vertical privilege escalation in Shiori (go-shiori), the self-hosted Go bookmark manager, lets any authenticated low-privilege user promote themselves to administrator. By sending a crafted PATCH request to the /api/v1/auth/account update endpoint with owner: true - a field that lacked an authorization check - the user flips their own owner flag, then re-authenticates to receive an admin JWT granting full system access. Disclosed by VulnCheck with a vendor fix committed upstream; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation Shiori
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack. [CVSS 6.5 MEDIUM]

Authentication Bypass Shiori Suse
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy