Cross Site Scripting Vulnerability in VNote by vnotex
CVE-2026-15505

5.1MEDIUM

Key Information:

Vendor

Vnotex

Status
Vendor
CVE Published:
12 July 2026

What is CVE-2026-15505?

A cross site scripting vulnerability has been identified in VNote by vnotex, specifically within the YAML Frontmatter component. This issue arises from an improper handling of the argument 'p_metaData' in the file /src/data/extra/web/js/markdownit.js. When exploited, this vulnerability allows an attacker to manipulate the affected function, potentially leading to unauthorized script execution in the context of other users. The attack can be initiated remotely, making systems running VNote up to version 3.20.1 susceptible to malicious activities. Despite early disclosure attempts, the vendor did not address the issue.

Affected Version(s)

vnote 3.20.0

vnote 3.20.1

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

SISUBENY (VulDB User)
VulDB CNA Team
.