49 matches found
CodiMD <2.5.4 - Insecure Filename Randomization
CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorised access to uploaded image data. Due to the insecure random filename generation in the underlying Formidable library, an...
EUVD-2019-6488
Malware in sbrugna...
EUVD-2025-12479
Malicious code in bioql PyPI...
EUVD-2024-37277
Malicious code in bioql PyPI...
EUVD-2025-12480
Malicious code in bioql PyPI...
CVE-2024-22778
HackMD CodiMD 2.5.2 is vulnerable to Denial of Service...
CVE-2019-15499
CodiMD 1.3.1, when Safari is used, allows XSS via an IFRAME element with allow-top-navigation in the sandbox attribute, in conjunction with a data: URL...
CVE-2025-46655
CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user error if AWS is employed for hosting untrusted...
CVE-2025-46654
CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by uploading a .html file that references an uploaded .js file...
CVE-2025-46654
CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by uploading a .html file that references an uploaded .js file...
CVE-2025-46655
CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user error if AWS is employed for hosting untrusted...
CVE-2025-46654
CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by uploading a .html file that references an uploaded .js file...
CVE-2025-46655
CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user error if AWS is employed for hosting untrusted...
CVE-2025-46654
CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by uploading a .html file that references an uploaded .js file...
CVE-2025-46655
CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user error if AWS is employed for hosting untrusted...
CVE-2025-46654
CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by uploading a .html file that references an uploaded .js file...
CodiMD 安全漏洞
CodiMD is a real-time collaborative note-taking application open-sourced by HackMD. A security vulnerability exists in CodiMD 2.5.4 and earlier versions, which stems from a CSP-based XSS protection mechanism that can be bypassed in cross-domain file storage scenarios, potentially leading to...
CodiMD 安全漏洞
CodiMD is a real-time collaborative note-taking application open-sourced by HackMD. A security vulnerability exists in CodiMD 2.2.0 and earlier versions, which stems from the fact that the CSP-based XSS protection mechanism can be bypassed by uploaded .html files, potentially leading to cross-sit...
CVE-2025-46655
CVE-2025-46655 affects CodiMD up to version 2.5.4. The issue is a bypass of the CSP-based XSS protection for SVG uploads when using cross-origin file storage (e.g., AWS S3) in configurations where the architecture cannot insert Content-Security-Policy headers. This can allow XSS in certain storag...
CVE-2025-46654
CVE-2025-46654 affects CodiMD up to version 2.2.0, where a CSP-based XSS protection can be bypassed by uploading an HTML file that references an uploaded JavaScript file. Documented impact is cross-site scripting due to this bypass; the vulnerability applies to 2.2.0 and earlier. No exploit detai...