The vulnerability stems from insufficient input validation combined with an overly permissive CORS policy in Open Notebook version 1.8.1. An attacker can craft a malicious URL that, when a legitimate user clicks or follows, will cause the application to alter or delete arbitrary database entries. The effect can be data loss, corruption, or unauthorized deletion, and depending on deployment, the attacker may also be able to exfiltrate sensitive information. The weakness is a classic injection flaw (CWE-20) coupled with cross‑site request forgery (CWE-352), improper reliance on default settings (CWE-917), and an additional unspecified CWE (NVD-CWE-noinfo).

The affected product is "Open Notebook" from the Open Notebook vendor, specifically version 1.8.1. Any installation running this version is potentially vulnerable and should be reviewed for exploitation risk.

With a CVSS score of 8.7 the vulnerability is considered high severity. The EPSS score of 0.00072 indicates a very low but non‑zero exploitation probability. No indication that the vulnerability is listed in the CISA KEV catalog. Based on the description the attack vector is remote, requiring a victim to load a crafted URL from a malicious site; the attacker does not need to be authenticated to the target system. If the victim’s credentials are compromised or the user is social‑engineered, the attacker can directly manipulate database entries.