CVE-2025-70963

CVSS v3.1

7.6

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions Gophish versions prior to 0.12.1

Description The administrative dashboard reveals each user’s long-lived API key within the HTML and JavaScript code on every login. This exposes permanent API credentials to any script operating within the browser environment. The vulnerable component is the administrative dashboard. The API key is exposed through the rendered HTML/JavaScript.

Recommendations Update to a version greater than 0.12.1.

Fix

Improper Access Control

Insecure Storage of Sensitive Information

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-922CWE-200

Related Identifiers

CVE-2025-70963

GHSA-9F8M-9547-2GQM

GO-2026-4455

SUSE-SU-2026:0757-1

Affected Products

Gophish

CVE-2025-70963

Weakness Enumeration

Related Identifiers

Affected Products

References · 114