CVE-2025-60538: Shiori is vulnerable to authentication bypass via a brute force attack

January 9, 2026 (updated January 13, 2026)

A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack.

References

github.com/advisories/GHSA-mw8h-g64c-rxv4
github.com/go-shiori/shiori
github.com/go-shiori/shiori/issues/1138
nvd.nist.gov/vuln/detail/CVE-2025-60538

Code Behaviors & Features

Detect and mitigate CVE-2025-60538 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →