CVE-2026-44522

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...

CVE-2026-44522 Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...

EUVD-2026-30370

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...

Note Mark 输入验证错误漏洞

Note Mark is a web-based Markdown note-taking application developed by Leo Spratt. Versions of Note Mark from 0.13.0 to 0.19.4 contained a vulnerability related to input validation errors. This vulnerability stemmed from the lack of cleaning and validation of asset file names, which could lead to...

PT-2026-38621

Name of the Vulnerable Software and Affected Versions Note Mark versions 0.13.0 through 0.19.3 Description Authenticated users can upload assets to notes via the "/api/notes/noteID/assets" endpoint. The application stores the asset filename provided in the X-Name HTTP request header directly in t...

EUVD-2025-16202

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-31500

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Best Practical RT Request Tracker 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name. CVE-2025-31500 Note that Nessus relies on the presence...

Best Practical RT 跨站脚本漏洞

Best Practical RT is a request tracker from Best Practical, Inc. A cross-site scripting vulnerability exists in Best Practical RT versions 5.0 through 5.0.7, which stems from the injection of JavaScript into an asset name and could lead to cross-site scripting...

CVE-2025-31500

CVE-2025-31500 affects Best Practical RT (Request Tracker) 5.0–5.0.7, enabling cross-site scripting via JavaScript injection in an Asset name. The connected documents confirm the vulnerability and reference the RT 5.0.8 release, suggesting upgrading to 5.0.8 as remediation. No explicit exploit de...

CVE-2025-31500

Best Practical RT Request Tracker 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name...

PT-2025-19379 · Debian +1 · Debian +1

Name of the Vulnerable Software and Affected Versions: Debian Linux affected versions not specified Description: The issue concerns a Cross Site Scripting vulnerability via JavaScript injection in an Asset name. Additionally, there are package vulnerabilities in request-tracker5. Recommendations:...

Craft CMS stored XSS in indexedVolumes

Summary XSS can be triggered via the Update Asset Index utility PoC 1. Access setting tab 2. Create new assets 3. In assets name inject payload: "alert26 4. Click Utilities tab 5. Choose all volumes, or volume trigger xss 7. Click Update asset indexes. XSS will be triggered Json response volumes...

PT-2023-24214 · Craft · Craft

Name of the Vulnerable Software and Affected Versions: Craft versions prior to 4.4.6 Description: Cross-site scripting XSS can be triggered via the Update Asset Index utility. This issue allows an attacker to inject malicious scripts, potentially leading to unauthorized access or data theft. The...

HackerOne: Unauthorized access to metadata of undisclosed reports that were retested

Summary: reportretests object in User node discloses some information about undisclosed report Description: An attacker can get some infomation such as "assetname" , "assettype" , "severityrating" , "weaknessname" of undisclosed report Steps To Reproduce 1. Invoke the below graphql call POST...

ManageEngine AssetExplorer 6.2.0 Cross Site Scripting Vulnerability

In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was discovered in the 6.2.0 version via the /AssetDef.do ciName or assetName parameter. Exploit Title: ManageEngine AssetExplorer 6.2.0 - Stored XSS Exploit Author: Ismail Tasdelen Vendor Homepage: https://www.manageengine.com/ Hardwa...