Delete all note of all user in application in usememos/memos


Reported on

Dec 26th 2022


A user with login permission can delete all notes of the whole application via API DELETE$idnote

Proof of Concept



The vulnerability will lose all user notes data throughout the system. Causing damage to user data.

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
STEVEN validated this vulnerability a year ago
trumthiphi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae a year ago
STEVEN has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation