CVE-2026-39904

Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate function in models/attachment.go processes Office documents as ZI...

CVE-2026-39904 Gophish 0.12.1 Denial of Service via Office Document Upload

Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate function in models/attachment.go processes Office documents as ZI...

CVE-2026-39904

Gophish 0.12.1 is affected by a denial-of-service in the ApplyTemplate() path that processes Office documents as ZIP archives. The vulnerability arises from ioutil.ReadAll() on each file entry without sized limits, enabling a zip-bomb payload to cause several gigabytes of in-memory expansion and ...

SUSE CVE-2025-70963

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user's long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

GO-2026-4455 Gophish is vulnerable to Incorrect Access Control in github.com/gophish/gophish

Gophish is vulnerable to Incorrect Access Control in github.com/gophish/gophish...

Gophish is vulnerable to Incorrect Access Control

Gophish = 0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

GHSA-9F8M-9547-2GQM Gophish is vulnerable to Incorrect Access Control

Gophish = 0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

CVE-2025-70963

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

CVE-2025-70963

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

PT-2026-6855

Gophish = 0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

CVE-2025-70963

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

EUVD-2025-206883

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

CVE-2025-70963

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

CVE-2025-70963

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

CVE-2025-70963

Summary: CVE-2025-70963 affects Gophish prior to 0.12.1. The admin dashboard exposes each user’s long‑lived API key directly in the rendered HTML/JavaScript on login, enabling access to permanent API credentials from browser scripts. This is an Incorrect Access Control vulnerability with HIGH imp...

GoPhish 安全漏洞

GoPhish is an open-source phishing framework developed by GoPhish. Versions of GoPhish 0.12.1 and earlier contain security vulnerabilities. These vulnerabilities stem from improper access control mechanisms. In these versions, the management panel exposes the user’s long-term API keys directly in...

PT-2026-6752

Name of the Vulnerable Software and Affected Versions Gophish versions prior to 0.12.1 Description The administrative dashboard reveals each user’s long-lived API key within the HTML and JavaScript code on every login. This exposes permanent API credentials to any script operating within the...

CVE-2020-24711

The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack...

CVE-2020-24713

Gophish through 0.10.1 does not invalidate the gophish cookie upon logout...

CVE-2020-24708

Cross Site Scripting XSS vulnerability in Gophish before 0.11.0 via the Host field on the send profile form...