Lucene search
K

77 matches found

OSV
OSV
added 2026/06/25 6:43 p.m.4 views

GO-2026-5295 Note Mark has Stored XSS via Unrestricted Asset Upload in github.com/enchant97/note-mark/backend

Note Mark has Stored XSS via Unrestricted Asset Upload in github.com/enchant97/note-mark/backend...

8.7CVSS5.8AI score0.00309EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:12 p.m.10 views

CVE-2026-44522

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...

8.6CVSS5.7AI score0.00495EPSS
Exploits0References1
NVD
NVD
added 2026/05/14 7:16 p.m.41 views

CVE-2026-44522

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...

8.6CVSS0.00495EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/07 9:6 p.m.14 views

Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution

Description The Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path...

8.6CVSS6.3AI score0.00495EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/29 1:44 a.m.7 views

CVE-2026-38948

Cross-Site Scripting XSS vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code...

5.4CVSS5.2AI score0.00165EPSS
Exploits0References1
NVD
NVD
added 2026/04/28 4:16 p.m.4 views

CVE-2026-38948

Cross-Site Scripting XSS vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code...

5.4CVSS0.00165EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/28 12:0 a.m.8 views

PT-2026-35746

Cross-Site Scripting XSS vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code...

5.4CVSS5.2AI score0.00165EPSS
Exploits0References6
CVE
CVE
added 2026/04/28 12:0 a.m.9 views

CVE-2026-38948

CVE-2026-38948 affects FUEL CMS

5.4CVSS5.2AI score0.00165EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/28 12:0 a.m.5 views

EUVD-2026-26063

Cross-Site Scripting XSS vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code...

5.4CVSS5.2AI score0.00165EPSS
Exploits0References3
NVD
NVD
added 2026/04/22 10:16 p.m.9 views

CVE-2026-41172

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as ...

8.6CVSS0.00215EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/22 9:22 p.m.6 views

CVE-2026-41172

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as ...

8.6CVSS5.8AI score0.00215EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/22 9:22 p.m.4 views

CVE-2026-41172 Squidex vulnerable to Server-Side Request Forgery (SSRF) via URL-based asset upload (/api/apps/{app}/assets)

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as ...

8.6CVSS5.8AI score0.00215EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/22 9:22 p.m.34 views

CVE-2026-41172 Squidex vulnerable to Server-Side Request Forgery (SSRF) via URL-based asset upload (/api/apps/{app}/assets)

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as ...

8.6CVSS0.00215EPSS
Exploits0References2
CVE
CVE
added 2026/04/22 9:22 p.m.17 views

CVE-2026-41172

Squidex (open source headless CMS) is affected by an SSRF vulnerability in asset uploads prior to version 7.23.0. A user with asset upload permission can cause the server to fetch arbitrary URLs (including localhost/private network targets) and persist the response as an asset. The issue is fixed...

8.6CVSS5.8AI score0.00215EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.8 views

PT-2026-34570

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as ...

8.6CVSS5.8AI score0.00215EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.12 views

Squidex 代码问题漏洞

Squidex is an open-source content management system developed by Squidex. Versions of Squidex prior to 7.23.0 had code vulnerabilities. These vulnerabilities were caused by a server-side request forgeing issue, allowing users with asset upload permissions to force the server to obtain arbitrary...

8.6CVSS6AI score0.00215EPSS
Exploits0References1
CVE
CVE
added 2026/04/21 11:34 p.m.20 views

CVE-2026-41129

Craft CMS versions in the 4.x line up to 4.17.8 and the 5.x line up to 5.9.14 are vulnerable to a Server-Side Request Forgery when specific GraphQL permissions are enabled: “Edit assets in the volume” and “Create assets in the volume.” The issue is fixed in 4.17.9 and 5.9.15. Affected users sho...

7CVSS5.7AI score0.00275EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/16 11:51 p.m.27 views

CVE-2026-40262 Note Mark has Stored XSS via Unrestricted Asset Upload

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an...

8.7CVSS0.00309EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/16 11:51 p.m.12 views

CVE-2026-40262 Note Mark has Stored XSS via Unrestricted Asset Upload

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an...

8.7CVSS5.7AI score0.00309EPSS
Exploits0References3
CVE
CVE
added 2026/04/16 11:51 p.m.8 views

CVE-2026-40262

Note Mark suffers a stored XSS via unrestricted asset upload in versions

8.7CVSS5.8AI score0.00309EPSS
Exploits0References3
Rows per page
Query Builder