Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/<absolute-path>". Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.