34 matches found
PT-2026-48683
Impact Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, when configured to by a posthog key in config.json or by the posthogApiHost and posthogApiKey URL parameters. Several fields of this data $initial person info, $session entry url, and $current url were...
CVE-2026-41572
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...
CVE-2026-41572
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...
CVE-2026-41571
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...
EUVD-2026-27053
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...
CVE-2026-41572
Note Mark (project: Note Mark) contains an authenticated/un-authenticated access flaw prior to version 0.19.3 where, after a public book is soft-deleted, notes and uploaded assets remain readable via /api/notes/{id}, /api/notes/{id}/content, the slug path, and asset endpoints. Root cause: GORM’s ...
CVE-2026-41572 Note Mark: Unauthenticated read of notes and assets in soft-deleted public books
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...
CVE-2026-41571 Note Mark: OIDC-registered users authenticated by submitting password "null"
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...
CVE-2026-41571
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...
CVE-2026-41571 Note Mark: OIDC-registered users authenticated by submitting password "null"
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization via the GetNoteByID function. An attacker can access notes and assets from soft-deleted public books by directly querying endpoints with known note IDs or slug paths, even after the book has been deleted. This...
PT-2026-36891
Name of the Vulnerable Software and Affected Versions Note Mark versions prior to 0.19.3 Description An issue exists where notes and uploaded assets remain accessible after a public book is soft-deleted. Unauthenticated users with the note ID or slug path can access data via the endpoints...
PT-2026-35503
Name of the Vulnerable Software and Affected Versions Note Mark versions prior to 0.19.3 Description An authentication bypass exists in the internal login endpoint. The IsPasswordMatch function in backend/db/models.go uses a hard-coded bcrypt"null" placeholder when a user has no stored password...
EUVD-2022-28777
Netaxis API Orchestrator APIO before 0.19.3 allows server side template injection SSTI...
CVE-2022-23851
Netaxis API Orchestrator APIO before 0.19.3 allows server side template injection SSTI...
CVE-2022-23851
CVE-2022-23851 affects Netaxis API Orchestrator (APIO) up to version 0.19.3 (pre-0.19.3). The vulnerability is a server-side template injection (SSTI) flaw that can impact confidentiality, integrity, and availability (CVSS v3.1 base score 9.8). Some sources note that this issue could potentially ...
Netaxis API Orchestrator 安全漏洞
Netaxis API Orchestrator is an API orchestration and automation platform from Netaxis Belgium. A security vulnerability exists in Netaxis API Orchestrator versions prior to 0.19.3 that stems from vulnerability to server-side template injection attacks...
CVE-2022-23851
Netaxis API Orchestrator APIO before 0.19.3 allows server side template injection SSTI...
PT-2025-51834
Name of the Vulnerable Software and Affected Versions Netaxis API Orchestrator APIO versions prior to 0.19.3 Description The Netaxis API Orchestrator APIO software contains a flaw that permits server side template injection SSTI. This issue could potentially allow an attacker to execute arbitrary...
EUVD-2005-3337
Malware in sbrugna...