Vulnerability Details CVE-2025-70963
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 11.0%
CVSS Severity
CVSS v3 Score 7.6
Products affected by CVE-2025-70963
-
cpe:2.3:a:getgophish:gophish:-
-
cpe:2.3:a:getgophish:gophish:0.1
-
cpe:2.3:a:getgophish:gophish:0.1.1
-
cpe:2.3:a:getgophish:gophish:0.1.2
-
cpe:2.3:a:getgophish:gophish:0.10.0
-
cpe:2.3:a:getgophish:gophish:0.10.1
-
cpe:2.3:a:getgophish:gophish:0.11.0
-
cpe:2.3:a:getgophish:gophish:0.12.0
-
cpe:2.3:a:getgophish:gophish:0.12.1
-
cpe:2.3:a:getgophish:gophish:0.2.0
-
cpe:2.3:a:getgophish:gophish:0.3.0
-
cpe:2.3:a:getgophish:gophish:0.4.0
-
cpe:2.3:a:getgophish:gophish:0.5.0
-
cpe:2.3:a:getgophish:gophish:0.6.0
-
cpe:2.3:a:getgophish:gophish:0.7.0
-
cpe:2.3:a:getgophish:gophish:0.7.1
-
cpe:2.3:a:getgophish:gophish:0.8.0
-
cpe:2.3:a:getgophish:gophish:0.9.0