Syntax: kev:true severity:critical epss:>0.95 vendor:cisco patch:false
Filters
Severity
Exploitation
Data Source
Data Quality
Vendor
CWE — Weakness Type
Clear all
Top 20 matches Showing top matches — use filters or a more specific query to narrow
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediatel
CVE-2026-41571
CRITICAL CVSS 9.4
Find Similar
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored pass
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware,
CVE-2026-44523
CRITICAL CVSS 10.0
Find Similar
Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secre
Note Mark is a web-based Markdown notes app. A stored cross-site scripting (XSS) vulnerability in Note Mark allows attackers to execute arbitrary web scripts via a crafted payload injected into the UR
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which do
Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, w
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/n
CVE-2024-41662
CRITICAL CVSS 9.6
Find Similar
VNote is a note-taking platform. A Cross-Site Scripting (XSS) vulnerability has been identified in the Markdown rendering functionality of versions 3.18.1 and prior of the VNote note-taking applicatio
Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. In versions below 0.97.0, a brute-force protection bypass in
Many Notes 0.10.1 is vulnerable to Cross Site Scripting (XSS), which allows malicious Markdown files to execute JavaScript when viewed.
Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid
CVE-2026-42090
CRITICAL CVSS 9.6
Find Similar
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the
ImpactThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip me
The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note functi
The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the funp_a
A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authent
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note
Page 1+ Next →