Getgophish: >> Gophish >> 0.12.1 Security Vulnerabilities
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context.
CVSS Score
7.6
EPSS Score
0.0
Published
2026-02-06
Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. This vulnerability could allow an attacker to store a malicious JavaScript payload in the campaign menu and trigger the payload when the campaign is removed from the menu.
CVSS Score
4.6
EPSS Score
0.001
Published
2024-03-06
Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page.
CVSS Score
6.1
EPSS Score
0.003
Published
2023-03-22
Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus.
CVSS Score
7.5
EPSS Score
0.002
Published
2023-03-22