CVE-2023-27035

MEDIUM

Obsidian Canvas <1.1.9 - XSS

Title source: llm

Description

An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page.

Exploits (1)

nomisec WORKING POC 1 stars

by fivex3 · poc

https://github.com/fivex3/CVE-2023-27035

View Code ZIP pw:eip

References (3)

Core 3

Core References

Exploit

https://forum.obsidian.md/t/embedded-web-pages-in-obsidian-canvas-can-use-sensitive-web-apis-without-the-users-permission-grant/54509

Release Notes

https://forum.obsidian.md/t/obsidian-release-v1-1-14-insider-build/54595

Exploit, Third Party Advisory

https://github.com/fivex3/CVE-2023-27035

Scores

CVSS v3 6.5

EPSS 0.0884

EPSS Percentile 92.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-276

Status published

Products (1)

obsidian/obsidian 1.1.9

Published May 01, 2023

Tracked Since Feb 18, 2026