CVE-2022-36450
HIGHObsidian 0.14.0-0.15.4 - Remote Code Execution via obsidian://hook-get-address URL
Title source: llmDescription
Obsidian 0.14.x and 0.15.x before 0.15.5 allows obsidian://hook-get-address remote code execution because window.open is used without checking the URL.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_misc
https://forum.obsidian.md/t/possible-remote-code-execution-through-obsidian-uri-scheme/39743
Third Party Advisory x_refsource_misc
https://www.chtsecurity.com/news/f2a1ad21-3442-495f-8b6e-f0fe433d6caa
Scores
CVSS v3
8.0
EPSS
0.1959
EPSS Percentile
97.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (1)
obsidian/obsidian
0.14.0 - 0.15.5
Published
Jul 25, 2022
Tracked Since
Feb 18, 2026