Description
Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application. Attackers can craft malicious markdown files with embedded JavaScript that executes system commands when opened, enabling remote code execution on the victim's computer.
Published: 2026-05-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a persistent Cross‑Site Scripting flaw in Anote 1.0 that permits an attacker to embed malicious JavaScript within markdown files stored by the application. By creating a specially crafted markdown file, the attacker can trigger the execution of arbitrary system commands when a user opens the file. The flaw is based on CWE‑79 and results in remote code execution on the victim’s machine.

Affected Systems

AnotherNote’s Anote version 1.0 is affected. The flaw resides in the handling of markdown content that is stored and later rendered by the application. No other product variants or versions are listed in the CNA data.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity, but the risk is amplified by the RCE impact. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, so there are no known active exploits yet. Likely the attack vector involves uploading a malicious markdown file to the application, then having a legitimate user open it. Successful exploitation requires the victim to view the file, which means the threat is limited to users with access to the affected application.

Generated by OpenCVE AI on May 15, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Anote release or apply the vendor‑supplied patch that resolves the persistent XSS flaw.
  • If updating is not immediately possible, sanitize all markdown input to strip or neutralize embedded <script> tags and JavaScript URLs before storage and rendering.
  • Deploy a strict Content‑Security‑Policy that blocks inline scripts and disallows unsafe‑eval in the browser context used by Anote.

Generated by OpenCVE AI on May 15, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 00:00:00 +0000

Type Values Removed Values Added
Title Anote 1.0 Persistent Cross-Site Scripting Remote Code Execution Anote 1.0 Persistent Cross-Site Scripting Leading to Code Execution

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Anothernote
Anothernote anote
Vendors & Products Anothernote
Anothernote anote

Sat, 16 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application. Attackers can craft malicious markdown files with embedded JavaScript that executes system commands when opened, enabling remote code execution on the victim's computer.
Title Anote 1.0 Persistent Cross-Site Scripting Remote Code Execution
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Anothernote Anote
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:41:17.199Z

Reserved: 2026-05-15T16:27:17.941Z

Link: CVE-2021-47963

cve-icon Vulnrichment

Updated: 2026-05-16T01:15:49.584Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T19:16:55.900

Modified: 2026-05-18T17:32:04.823

Link: CVE-2021-47963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:01:10Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')