CVE-2025-70963 — Vulnetix

CVE-2025-70963 PUBLISHED CVSS 6 MEDIUM

Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context.

EPSS 0.02% · 4.3th percentile

Risk Scores

CVSS v4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

EPSS Score

0.02%

4.3th percentile

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a, n/a
getgophish	gophish	0, 0
github.com	gophish/gophish	0, 0

Timeline

Feb 6, 2026 CVE Published
Feb 6, 2026 PoC Published
Feb 7, 2026 EPSS Score
Feb 9, 2026 EPSS Score
Feb 11, 2026 EPSS Score
Feb 13, 2026 EPSS Score
Feb 15, 2026 EPSS Score
Feb 18, 2026 EPSS Score
Feb 20, 2026 EPSS Score
Feb 22, 2026 EPSS Score
Feb 24, 2026 EPSS Score
Feb 26, 2026 EPSS Score

References

https://github.com/gophish/gophish/issues/9366 url
https://nvd.nist.gov/vuln/detail/CVE-2025-70963 advisory
https://github.com/gophish/gophish package

Open in Interactive Console →