getgophish 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk ssrf、vendor risk open redirect, and パス処理の欠陥 に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で vendor impact session compromise and ファイル上書き などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-70963 | Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context. | [email protected] | 7.6 | 0.27% | 2026-02-06 | 2026-06-17 |
| CVE-2024-2211 | Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. This vulnerability could allow an attacker to store a malicious JavaScript payload in the campaign menu and trigger the payload when the campaign is removed from the menu. | [email protected] | 4.6 | 0.29% | 2024-03-06 | 2026-06-17 |
| CVE-2022-45004 | Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page. | [email protected] | 6.1 | 0.60% | 2023-03-22 | 2026-06-17 |
| CVE-2022-45003 | Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus. | [email protected] | 7.5 | 1.04% | 2023-03-22 | 2026-06-17 |
| CVE-2022-25295 | This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts with multiple backslashes like \\\\\\example.com, browser will redirect user to http://example.com. | [email protected] | 5.4 | 0.53% | 2022-09-11 | 2026-06-17 |
| CVE-2020-24713 | Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. | [email protected] | 7.5 | 1.14% | 2020-10-28 | 2026-06-16 |
| CVE-2020-24712 | Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page. | [email protected] | 5.4 | 0.85% | 2020-10-28 | 2026-06-16 |
| CVE-2020-24711 | The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack | [email protected] | 6.5 | 1.55% | 2020-10-28 | 2026-06-16 |
| CVE-2020-24710 | Gophish before 0.11.0 allows SSRF attacks. | [email protected] | 5.3 | 1.32% | 2020-10-28 | 2026-06-16 |
| CVE-2020-24709 | Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template. | [email protected] | 5.4 | 0.55% | 2020-10-28 | 2026-06-16 |
| CVE-2020-24708 | Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form. | [email protected] | 5.4 | 0.62% | 2020-10-28 | 2026-06-16 |
| CVE-2020-24707 | Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content. | [email protected] | 7.8 | 1.31% | 2020-10-28 | 2026-06-16 |
| CVE-2019-16146 | Gophish through 0.8.0 allows XSS via a username. | [email protected] | 4.8 | 0.66% | 2019-09-09 | 2026-06-16 |