Cyber Resilience

CVE-2025-70963

HighPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
EPSS Score 0.0002 6.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70963 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Getgophish Gophish. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-70963 is an incorrect access control vulnerability (CWE-200, CWE-922) affecting Gophish versions <=0.12.1. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L) and was published on 2026-02-06T18:15:55.510.

The attack requires low-privileged access (PR:L) over the network (AV:N) with low attack complexity (AC:L) and user interaction (UI:R), such as logging into the dashboard. Once a victim authenticates, any script executing in the browser context can extract the exposed API key. Attackers with the key can achieve high confidentiality and integrity impacts (C:H/I:H) along with low availability impact (A:L), enabling unauthorized actions via the Gophish API.

Mitigation details are available in the GitHub issue at https://github.com/gophish/gophish/issues/9366.

EU & UK References

Vulnerability details

Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the…

more

browser context.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

Vulnerability directly exposes long-lived API keys in client-side HTML/JS, enabling theft of application access tokens by any browser-context script.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21620Shared CWE-200
CVE-2026-33745Shared CWE-200
CVE-2026-33180Shared CWE-200
CVE-2026-40895Shared CWE-200
CVE-2026-40868Shared CWE-922
CVE-2026-34969Shared CWE-200
CVE-2026-30845Shared CWE-200
CVE-2026-35442Shared CWE-200
CVE-2026-26069Shared CWE-200
CVE-2026-41323Shared CWE-200

Affected Assets

getgophish
gophish
≤ 0.12.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to sensitive information, directly preventing the exposure of long-lived API keys in the rendered HTML/JavaScript of the administrative dashboard.

prevent

Requires protection of authenticator content from unauthorized disclosure and modification, addressing the embedding of permanent API credentials accessible to browser scripts.

prevent

Implements information output filtering to identify and block sensitive data like API keys from being transmitted in dashboard responses to the browser context.

References