CVE-2024-22778

HackMD CodiMD versions before 2.5.2 are vulnerable to Denial of Service. Affected software: HackMD CodiMD prior to 2.5.2. Root cause and impact: DoS vulnerability with CWEs not specified in the documents; CVSSv3.1 base score 7.5 (Network exploitation, Low attack complexity, No privileges, No user...

CVE-2024-38353

CVE-2024-38353 (CodiMD) affects CodiMD prior to 2.5.4, where an unauthenticated attacker can access uploaded image data due to missing authentication and access controls. The underlying issue is insecure filename generation in the Formidable library, enabling an attacker who can guess an image UR...

CVE-2025-46654

CVE-2025-46654 affects CodiMD up to version 2.2.0, where a CSP-based XSS protection can be bypassed by uploading an HTML file that references an uploaded JavaScript file. Documented impact is cross-site scripting due to this bypass; the vulnerability applies to 2.2.0 and earlier. No exploit detai...

CVE-2024-38354

CVE-2024-38354 affects CodiMD/HackMD.io notes, where the notebook feature allows rendering of iframe HTML tags with an improperly sanitized name attribute, enabling DOM clobbering-based XSS. The issue, fixed in version 2.5.4, impacts note collaboration environments that render untrusted HTML. No ...

CVE-2019-15499

CVE-2019-15499 affects CodiMD 1.3.1. In Safari, an XSS can be triggered via an IFRAME element with allow-top-navigation in the sandbox attribute when used with a data: URL. Multiple sources (NVD, Red Hat advisory, OSV, CVE lists) corroborate this description. No explicit patch/version remediation...