Stored XSS while creating a new post in usememos/memos


Reported on

Dec 19th 2022


After login create a new post and type the following text with XSS payload

XSS in create post [<img src=x onerror=alert(1)>](

then click post that will be executed.

Proof of Concept

XSS in create post [te<img src=x onerror=alert(1)>te](


Users account takeover + admin

We are processing your report and will contact the usememos/memos team within 24 hours. 21 days ago
Mohamed Abdelhady modified the report
20 days ago
Mohamed Abdelhady modified the report
20 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 20 days ago
usememos/memos maintainer validated this vulnerability 19 days ago
Mohamed Abdelhady has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
19 days ago


Can You assign it as CVE !

STEVEN marked this as fixed in 0.9.0 with commit 65cc19 17 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 17 days ago
to join this conversation