Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the asset download process. An attacker can access the full contents of private note assets by sending unauthenticated requests to the /api/notes/noteID/assets/assetID endpoint when valid note and asset IDs are...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the asset download process. An attacker can access the full contents of private note assets by sending unauthenticated requests to the /api/notes/noteID/assets/assetID endpoint when valid note and asset IDs are...

CVE-2026-40265

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/noteID/assets/assetID is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows...

Note Mark 安全漏洞

Note Mark is a web-based Markdown note-taking application developed by Leo Spratt. Versions of Note Mark prior to 0.19.1 contained a security vulnerability. This vulnerability stemmed from the asset download endpoint at /api/notes/noteID/assets/assetID, which did not register an authentication...

CVE-2026-40265

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/noteID/assets/assetID is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows...

CVE-2026-40265

CVE-2026-40265 affects Note Mark (versions

CVE-2026-40265 Note Mark has Broken Access Control on Asset Download

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/noteID/assets/assetID is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows...

EUVD-2021-1905

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2021-25954

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Dolibarr application, 2.8.1 to 13.0.4 don't restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can...

Linux Distros Unpatched Vulnerability : CVE-2021-25955

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Dolibarr ERP CRM, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store...

Dolibarr Cross-site Scripting vulnerability

In Dolibarr ERP CRM, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Private Note field at /adherents/note.php?id=1 endpoint. These scripts are executed in a victim’s browser when th...

GHSA-CPV8-6XGR-RMF6 Dolibarr Cross-site Scripting vulnerability

In Dolibarr ERP CRM, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Private Note field at /adherents/note.php?id=1 endpoint. These scripts are executed in a victim’s browser when th...

Cross-site Scripting (XSS)

dolibarr is vulnerable to cross site scripting XSS. An attacker is able to exploit the vulnerability by storing malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint which are executed in a victim’s browser...

CVE-2021-25955

In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser...

Improper access control

In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser...

UBUNTU-CVE-2021-25954

In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint...

Dolibarr ERP/CRM 访问控制错误漏洞

Dolibarr ERP/CRM is a Web-based enterprise resource planning ERP and customer relationship management CRM system from the Dolibarr Foundation in France. The system can be used to manage products, inventory, invoices, orders, and more. An Access Control Error vulnerability exists in Dolibarr ERP/C...