CVE-2025-70963

High CVSS: 7.6

Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context.

Vendor

Getgophish

Product

Gophish

CWE

CWE-200

Yayın Tarihi

2026-02-06 18:15:55

Güncelleme

2026-02-10 18:23:11

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-200 Gophish HIGH Getgophish 2026

Referanslar

https://github.com/gophish/gophish/issues/9366