Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered XSS via shared note requires low privileges to craft and deliver, user interaction to render, scope change to browser context, with low confidentiality and integrity impact.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A weakness has been identified in vnotex vnote up to 3.20.1. Impacted is an unknown function of the file /src/data/extra/web/js/markdownit.js of the component YAML Frontmatter. This manipulation of the argument p_metaData causes cross site scripting. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Cross-site scripting in vnotex vnote up to version 3.20.1 allows a remote attacker with low-level privileges to inject malicious scripts via the YAML frontmatter p_metaData argument processed by /src/data/extra/web/js/markdownit.js. When a victim views or renders a specially crafted note containing malicious YAML metadata, the injected script executes in their browser context, enabling limited integrity manipulation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to have the ability to create or deliver a crafted Markdown note to the victim - either through a shared notebook, file share, or direct file transfer - giving the attack a PR:L (low-privilege) baseline: the attacker does not need admin rights but must have some write or delivery capability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.1 (Medium) with vector AV:N/AC:L/AT:N/PR:L/UI:P reflects a meaningful but constrained risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to a shared note repository or collaboration workspace crafts a vnote Markdown file containing a malicious JavaScript payload embedded in the YAML frontmatter metadata block. When a co-user or victim opens the note within vnote's embedded web renderer, the markdownit.js parser processes the unsanitized `p_metaData` value and the injected script executes in the browser context. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the vendor did not respond to responsible disclosure contact. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
VNote is a note-taking platform. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no auth
A vulnerability has been found in vnotex vnote up to 3.17.0 and classified as problematic. Rated medium severity (CVSS 6
VNote 2.2 has XSS via a new text note. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43246
GHSA-q2vg-w96j-jgp7