CVE-2025-70963

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-70963
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context.

7.6 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/gophish/gophish/issues/9366 Exploit Issue Tracking Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:getgophish:gophish:*:*:*:*:*:*:*:*
History

17 Jun 2026, 10:03

Type Values Removed Values Added
References () https://github.com/gophish/gophish/issues/9366 - Exploit, Vendor Advisory, Issue Tracking () https://github.com/gophish/gophish/issues/9366 - Exploit, Issue Tracking, Vendor Advisory
Summary
  • (es) Gophish &lt;=0.12.1 es vulnerable a un Control de Acceso Incorrecto. El panel de administración expone la API key de larga duración de cada usuario directamente dentro del HTML/JavaScript renderizado de la página en cada inicio de sesión. Esto hace que las credenciales permanentes de la API sean accesibles para cualquier script que se ejecute en el contexto del navegador.

10 Feb 2026, 18:23

Type Values Removed Values Added
References () https://github.com/gophish/gophish/issues/9366 - () https://github.com/gophish/gophish/issues/9366 - Exploit, Vendor Advisory, Issue Tracking
CPE cpe:2.3:a:getgophish:gophish:*:*:*:*:*:*:*:*
First Time Getgophish
Getgophish gophish

06 Feb 2026, 19:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.6
CWE CWE-200
CWE-922

06 Feb 2026, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-06 18:15

Updated : 2026-06-17 10:03

NVD link : CVE-2025-70963

Mitre link : CVE-2025-70963

CVE.ORG link : CVE-2025-70963

JSON object : View

Products Affected

getgophish

  • gophish
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-922

Insecure Storage of Sensitive Information