Notable: >> Notable >> 1.8.4 Security Vulnerabilities
Notable before 1.9.0-beta.8 doesn't effectively prevent the opening of executable files when clicking on a link. There is improper validation of the file URI scheme. A hyperlink to an SMB share could lead to execution of an arbitrary program (or theft of NTLM credentials via an SMB relay attack, because the application resolves UNC paths).
CVSS Score
8.8
EPSS Score
0.003
Published
2022-04-15
Notable v1.8.4 does not filter text editing, allowing attackers to execute arbitrary code via a crafted payload injected into the Title text field.
CVSS Score
9.8
EPSS Score
0.008
Published
2022-03-27
Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true).
CVSS Score
9.6
EPSS Score
0.039
Published
2020-12-10