Updated libexif packages fix security vulnerabilities

CVE-2026-32775: libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exifmnotedatagetvalue function gets passed in a 0 size, the passed in-buffer would be overwritten due to an integer underflow. CVE-2026-40385: In libexif through 0.6.25, an unsigned 32bit integer overflow in Nikon...

@backstage/plugin-catalog-backend-module-unprocessed (>=0.0.0-nightly-20240321021124 <=0.6.11-next.0), @backstage/plugin-catalog-unprocessed-entities (>=0.0.0-nightly-20251203024610 <=0.2.30-next.0) potentially affected by CVE-2026-44374 via @backstage/plugin-catalog-unprocessed-entities-common (>=0.0.0-nightly-20241116023418 <=0.0.15-next.0)

@backstage/plugin-catalog-unprocessed-entities-common NPM version =0.0.0-nightly-20241116023418, =0.0.0-nightly-20240321021124, =0.0.0-nightly-20251203024610, =0.2.30-next.0 Source cves: CVE-2026-44374 Source advisory: OSV:GHSA-P7G9-RP3G-MGFG...

Azure Linux 3.0 Security Update: CBL-Mariner Releases (CVE-2026-41066)

The version of CBL-Mariner Releases installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2026-41066 advisory. - lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using...

@akemona-org/strapi-connector-mongoose (>=3.13.0 <=3.17.2), @andybeat/clothingshop-nestjs (>=2.9.0 <=2.12.0) +87 more potentially affected by CVE-2026-42334 via mongoose (>=8.0.0 <=8.21.0)

mongoose NPM version =8.0.0, =3.13.0, =2.9.0, =0.10.18, =0.10.21, =1.3.5, =3.8.0, =1.0.1, =8.10.0, =0.8.7, =1.0.1, =1.5.1, =1.12.42, =7.0.0, =0.0.1-20250418035022-6dadadb.0, =0.6.0, =0.11.0 and more Source cves: CVE-2026-42334 Source advisory: SNYK:JS-MONGOOSE-16425765...

CVE-2026-41572

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...

CVE-2026-41571

Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...

CVE-2026-41572 Note Mark: Unauthenticated read of notes and assets in soft-deleted public books

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...

CVE-2026-41572

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...

CVE-2026-41571 Note Mark: OIDC-registered users authenticated by submitting password "null"

Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...

CVE-2026-42090

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is...

CVE-2026-42090 Notesnook: RCE via stored XSS in note export rendering

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is...

EUVD-2026-27019

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is...

CVE-2026-42090

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is...

CVE-2026-42090 Notesnook: RCE via stored XSS in note export rendering

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is...

CVE-2026-42090

Notesnook exposes a stored XSS in the note export flow that can escalate to remote code execution in the desktop app. Root cause: exported fields (title, headline, content) are inserted into the HTML template without escaping, which is then rendered into a same-origin, unsandboxed iframe via ifra...

CVE-2026-44670

creationtimestamp| type| source ---|---|--- 2026-05-04 07:03:18+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-2h64-c999-c9r6...

Malicious Package

Overview @m0ntana/app.web is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

CVE-2026-7709

creationtimestamp| type| source ---|---|--- 2026-05-04 00:53:36+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mkyhi6bccn2k...

Notesnook 跨站脚本漏洞

Notesnook is an end-to-end encrypted note application developed by Streetwriters. Versions of Notesnook for Web/Desktop prior to 3.3.15, as well as versions for iOS/Android prior to 3.3.20, had a cross-site scripting vulnerability. This vulnerability stemmed from the lack of HTML escaping for...

Note Mark 授权问题漏洞

Note Mark is a web-based Markdown note-taking application developed by Leo Spratt. Versions of Note Mark prior to 0.19.3 had an authorization issue vulnerability. This vulnerability stemmed from the fact that notes and uploaded assets could still be accessed after public books were soft-deleted,...