CVE-2024-41662

HIGH

VNote < 3.18.1 - Stored Cross-Site Scripting in Markdown Renderer

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-41662. PoCs published by sh3bu.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2024-41662, an XSS vulnerability in VNote's Markdown rendering functionality that can lead to RCE. It includes steps to reproduce, payload examples, and mitigation strategies.

Description

VNote is a note-taking platform. A Cross-Site Scripting (XSS) vulnerability has been identified in the Markdown rendering functionality of versions 3.18.1 and prior of the VNote note-taking application. This vulnerability allows the injection and execution of arbitrary JavaScript code through which remote code execution can be achieved. A patch for this issue is available at commit f1af78573a0ef51d6ef6a0bc4080cddc8f30a545. Other mitigation strategies include implementing rigorous input sanitization for all Markdown content and utilizing a secure Markdown parser that appropriately escapes or strips potentially dangerous content.

Exploits (2)

nomisec WRITEUP 3 stars

by sh3bu · poc

https://github.com/sh3bu/CVE-2024-41662

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2024-41662, an XSS vulnerability in VNote's Markdown rendering functionality that can lead to RCE. It includes steps to reproduce, payload examples, and mitigation strategies.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: VNote <=3.18.1

No auth needed

Prerequisites: Access to VNote application · Ability to create or edit notes

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WRITEUP

by sh3bu · poc

https://github.com/sh3bu/CVE-disclosures/tree/main/CVE-2024-41662

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2024-41662, an XSS vulnerability in VNote's Markdown rendering that can lead to RCE. It includes steps to reproduce, payload examples, and mitigation strategies, demonstrating a clear understanding of the vulnerability.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: VNote <=3.18.1

No auth needed

Prerequisites: Access to VNote application · Ability to create or edit notes

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/vnotex/vnote/security/advisories/GHSA-w655-h68w-vxxc

Patch x_refsource_misc

https://github.com/vnotex/vnote/commit/f1af78573a0ef51d6ef6a0bc4080cddc8f30a545

View Patch ZIP pw:eip

Scores

CVSS v3 8.6

EPSS 0.0158

EPSS Percentile 72.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (1)

vnote_project/vnote < 3.18.1

Published Jul 24, 2024

Tracked Since Feb 18, 2026