CVE-2025-56760

Medium CVSS: 4.3

When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.

Vendor

Usememos

Product

Memos

CWE

CWE-24

Yayın Tarihi

2025-09-03 17:15:34

Güncelleme

2025-09-09 18:30:48

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-24 Memos MEDIUM Usememos 2025

Referanslar

https://github.com/usememos/memos/blob/v0.24.4/server/router/api/v1/resource_service.go#L48 https://www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examples/

Benzer Kayıtlar

High

CVE-2025-65795

Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create…

Medium

CVE-2025-65797

Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level priv…

Medium

CVE-2025-65799

A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to e…

Medium

CVE-2025-65796

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reac…

Medium

CVE-2025-65798

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or d…

High

CVE-2024-21635

Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. Wh…