Homarr before v0.14.0 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the Notebook widget that can be exploited via maliciously crafted Markdown hyperlinks.
The vulnerability was fixed in Pull Request #1459. The security flaw was derived from the npm tiptap package.
-- NOT AVAILABLE --- CVE Record: https://www.cve.org/CVERecord?id=CVE-2023-45908
- Vendor URL: https://homarr.dev/
- Fixed Release: ajnart/homarr#1574
- Pull Request: ajnart/homarr#1459
- CWE: https://cwe.mitre.org/data/definitions/80.html