Security

Report a vulnerability

SECURITY.md

Security Policy

Reporting a Vulnerability

Please report security issues to security@karakeep.app

Reddit plugin content bypasses DOMPurify sanitization, enabling stored XSS
GHSA-mg93-f9mw-wpgj published Feb 22, 2026 by MohamedBassem

High
Current authentication flow is vulnerable to time based user enumeration
GHSA-g49h-4fx9-9wmw published Aug 23, 2025 by MohamedBassem

Low
Cross-Site Scripting within assets functionality
GHSA-7cj2-fr83-g2wj published Aug 23, 2025 by MohamedBassem

High

Learn more about advisories related to karakeep-app/karakeep in the GitHub Advisory Database