Description
Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application. Attackers can craft malicious markdown files with embedded JavaScript that executes system commands when opened, enabling remote code execution on the victim's computer.
Published: 2026-05-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a persistent Cross‑Site Scripting flaw in Anote 1.0 that permits an attacker to embed malicious JavaScript within markdown files stored by the application. By creating a specially crafted markdown file, the attacker can trigger the execution of arbitrary system commands when a user opens the file. The flaw is based on CWE‑79 and results in remote code execution on the victim’s machine.

Affected Systems

AnotherNote’s Anote version 1.0 is affected. The flaw resides in the handling of markdown content that is stored and later rendered by the application. No other product variants or versions are listed in the CNA data.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity, but the risk is amplified by the RCE impact. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, so there are no known active exploits yet. Likely the attack vector involves uploading a malicious markdown file to the application, then having a legitimate user open it. Successful exploitation requires the victim to view the file, which means the threat is limited to users with access to the affected application.

Generated by OpenCVE AI on May 15, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Anote release or apply the vendor‑supplied patch that resolves the persistent XSS flaw.
  • If updating is not immediately possible, sanitize all markdown input to strip or neutralize embedded <script> tags and JavaScript URLs before storage and rendering.
  • Deploy a strict Content‑Security‑Policy that blocks inline scripts and disallows unsafe‑eval in the browser context used by Anote.

Generated by OpenCVE AI on May 15, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application. Attackers can craft malicious markdown files with embedded JavaScript that executes system commands when opened, enabling remote code execution on the victim's computer.
Title Anote 1.0 Persistent Cross-Site Scripting Remote Code Execution
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T01:15:54.332Z

Reserved: 2026-05-15T16:27:17.941Z

Link: CVE-2021-47963

cve-icon Vulnrichment

Updated: 2026-05-16T01:15:49.584Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:16:55.900

Modified: 2026-05-15T19:16:55.900

Link: CVE-2021-47963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:30:06Z

Weaknesses