| Title | Usememos Memos 0.22.1 Cross Site Scripting |
|---|
| Description | A critical vulnerability has been discovered in usememos/memos (versions up to and including 0.22.1). This security flaw involves a combination of Broken Access Control (CWE-284) and Stored Cross-Site Scripting (CWE-79).
The backend gRPC-web endpoint 'UpdateInstanceSetting' fails to properly validate user permissions, allowing a standard 'Member' user to bypass the frontend UI restrictions and modify global instance settings. Specifically, an attacker can navigate to the system settings page and inject malicious JavaScript or CSS into the 'additionalStyle' or 'additionalScript' fields.
Because the frontend application (src/App.tsx) injects these settings directly into the DOM using the 'innerHTML' property without sanitization, the malicious code is executed in the context of every user visiting the site (including administrators). This allows for full session hijacking, credential theft (memos_access_token), and unauthorized administrative actions.
2. Short Summary (Submission Title/Summary Field)
Critical vulnerability chain in usememos/memos allows unprivileged users to perform Stored XSS and hijack global instance settings due to broken access control on the UpdateInstanceSetting gRPC-web endpoint.
3. Quick Reference for VulDB Fields
Class: Web Application
Type: Stored XSS / Broken Access Control
CWE: CWE-79 / CWE-284
Impact: Critical (Full System/Session Compromise)
CVSS v3.1/4.0: ~9.0 |
|---|
| Source | ⚠️ https://github.com/Dave-gilmore-aus/security-advisories/blob/main/usememos-security-advisory |
|---|
| User | davidgilmore (UID 96940) |
|---|
| Submission | 03/31/2026 07:22 (21 days ago) |
|---|
| Moderation | 04/19/2026 21:17 (20 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 358268 [usememos up to 0.22.1 UpdateInstanceSetting src/App.tsx memos_access_token additionalStyle/additionalScript improper authorization] |
|---|
| Points | 20 |
|---|