Skip to main content

Affine

2 CVEs product

Monthly

CVE-2026-7702 MEDIUM POC This Month

Authorization bypass in AFFiNE up to version 0.26.3 allows remote unauthenticated attackers to access restricted document previews through the Public Markdown Preview Endpoint (/workspace/:workspaceId/:docId). The allowDocPreview function fails to properly validate access permissions, enabling attackers to retrieve sensitive document content without authentication. Public exploit code is available, and the vendor has not responded to early disclosure attempts.

Authentication Bypass Affine
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-21853 HIGH This Week

Remote code execution in AFFiNE workspace application (versions prior to 0.25.4) allows unauthenticated attackers to execute arbitrary code via malicious affine: URL handlers. Exploitation requires one user click on a crafted link or visiting a malicious website that auto-redirects to the malicious URL. The browser's custom protocol handler automatically launches AFFiNE and processes the payload without further user interaction, achieving RCE. EPSS score of 0.17% (38th percentile) suggests low observed exploitation activity. GitHub security advisory GHSA-67vm-2mcj-8965 confirms the vulnerability with upstream fix available in commit c9a4129a via PR #13864.

RCE Code Injection Affine
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Authorization bypass in AFFiNE up to version 0.26.3 allows remote unauthenticated attackers to access restricted document previews through the Public Markdown Preview Endpoint (/workspace/:workspaceId/:docId). The allowDocPreview function fails to properly validate access permissions, enabling attackers to retrieve sensitive document content without authentication. Public exploit code is available, and the vendor has not responded to early disclosure attempts.

Authentication Bypass Affine
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in AFFiNE workspace application (versions prior to 0.25.4) allows unauthenticated attackers to execute arbitrary code via malicious affine: URL handlers. Exploitation requires one user click on a crafted link or visiting a malicious website that auto-redirects to the malicious URL. The browser's custom protocol handler automatically launches AFFiNE and processes the payload without further user interaction, achieving RCE. EPSS score of 0.17% (38th percentile) suggests low observed exploitation activity. GitHub security advisory GHSA-67vm-2mcj-8965 confirms the vulnerability with upstream fix available in commit c9a4129a via PR #13864.

RCE Code Injection Affine
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy