Obsidian
Products
2- 3 CVEs
- 1 CVE
Recent CVEs
4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-56449 | Hig | 0.53 | 8.2 | 0.00 | Sep 29, 2025 | A security vulnerability was identified in Obsidian Scheduler's REST API 5.0.0 thru 6.3.0. If an account is locked out due to not enrolling in MFA (e.g. after the 7-day enforcement window), the REST API still allows the use of Basic Authentication to authenticate and perform… | ||
| CVE-2023-27035 | 0.01 | — | 0.02 | May 1, 2023 | An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page. | |||
| CVE-2023-2110 | 0.00 | — | 0.00 | Aug 19, 2023 | Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/". This vulnerability can be exploited if a user opens a malicious… | |||
| CVE-2022-36450 | 0.00 | — | 0.20 | Jul 25, 2022 | Obsidian 0.14.x and 0.15.x before 0.15.5 allows obsidian://hook-get-address remote code execution because window.open is used without checking the URL. |
- risk 0.53cvss 8.2epss 0.00
A security vulnerability was identified in Obsidian Scheduler's REST API 5.0.0 thru 6.3.0. If an account is locked out due to not enrolling in MFA (e.g. after the 7-day enforcement window), the REST API still allows the use of Basic Authentication to authenticate and perform…
- CVE-2023-27035May 1, 2023risk 0.01cvss —epss 0.02
An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page.
- CVE-2023-2110Aug 19, 2023risk 0.00cvss —epss 0.00
Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/". This vulnerability can be exploited if a user opens a malicious…
- CVE-2022-36450Jul 25, 2022risk 0.00cvss —epss 0.20
Obsidian 0.14.x and 0.15.x before 0.15.5 allows obsidian://hook-get-address remote code execution because window.open is used without checking the URL.