Volerion logoVolerion
Volerion logoVolerion

Memos Application Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

A stored cross-site scripting vulnerability has been identified in the Memos application, affecting versions through v0.24.3. This issue arises from the application's handling of SVG files, which can be uploaded and then executed when the memo is viewed. The vulnerability allows for the execution of arbitrary JavaScript, such as stealing session cookies or making unauthorized requests from the user's browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files execute JavaScript when the memo is viewed, potentially leading to session hijacking or unauthorized requests.

Reproduction

To reproduce this vulnerability, upload an SVG file containing JavaScript code, such as an `onload` event. After uploading, the SVG executes the embedded script when the memo is viewed, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update to Memos version v0.25.0 or later, where this vulnerability has been fixed.

Added: Jul 29, 2025, 3:18 PM
Updated: Jul 29, 2025, 3:18 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.9
exploitability
6.0
remediation
7.7
relevance
0.3
threat
6.5
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.