Cross Site Scripting Vulnerability in VNote by vnotex
CVE-2026-15505
5.1MEDIUM
What is CVE-2026-15505?
A cross site scripting vulnerability has been identified in VNote by vnotex, specifically within the YAML Frontmatter component. This issue arises from an improper handling of the argument 'p_metaData' in the file /src/data/extra/web/js/markdownit.js. When exploited, this vulnerability allows an attacker to manipulate the affected function, potentially leading to unauthorized script execution in the context of other users. The attack can be initiated remotely, making systems running VNote up to version 3.20.1 susceptible to malicious activities. Despite early disclosure attempts, the vendor did not address the issue.
Affected Version(s)
vnote 3.20.0
vnote 3.20.1
