Product
obsidian
10 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2023-2110
CVE-2023-33244
CVE-2023-27035
CVE-2023-24044
CVE-2022-45130
CVE-2022-36450
CVE-2021-42057
CVE-2021-35976
CVE-2021-38148
CVE-2020-11583
< 1.2.8
Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files
< 1.2.2
Obsidian before 1.2.2 allows calls to unintended APIs (for microphone access, camera access, and desktop notification) via an embe
all versions
An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other un
<= 18.0.49
A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious
all versions
Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a
>= 0.14.0 and < 0.15.5
Obsidian 0.14.x and 0.15.x before 0.15.5 allows obsidian://hook-get-address remote code execution because window.open is used with
<= 0.4.11
Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an
>= 18.0.0 and <= 18.0.32
The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-s
< 0.12.12
Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs.
all versions
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScri