EUVD-2021-22609

Malware in sbrugna...

EUVD-2022-48047

Malicious code in bioql PyPI...

EUVD-2023-37413

Malicious code in bioql PyPI...

CVE-2025-54336

In Plesk Obsidian 18.0.70, isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 such as the 0e0 string. This occurs in admin/plib/LoginManager.php...

CVE-2023-2110

Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies tex...

CVE-2021-38148

Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs...

CVE-2022-36450

Obsidian 0.14.x and 0.15.x before 0.15.5 allows obsidian://hook-get-address remote code execution because window.open is used without checking the URL...

CVE-2023-24044

A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "the ability to use arbitrary domain names to access the panel is an intended feature."...

PT-2022-27411 · Plesk · Plesk Obsidian

Name of the Vulnerable Software and Affected Versions: Plesk Obsidian Description: The issue allows a CSRF attack, for example, via the "/api/v2/cli/commands" REST API to change an Admin password. This affects Plesk Obsidian, which is a specific version of the Plesk product where versions are...