[GH-ISSUE #830] vulnerability in note-gen project #619

New issue

Closed

opened 2026-03-02 03:40:53 +03:00 by kerem · 0 comments

kerem commented 2026-03-02 03:40:53 +03:00

Owner

Copy link

Originally created by @ankitdn on GitHub (Jan 6, 2026).
Original GitHub issue: https://github.com/codexu/note-gen/issues/830

While working in note-gen project, I identified this vulnerability during a review of how external resources were loaded into PDFs. While testing user-supplied inputs for PDF generation, I noticed that the loadFile method accepts file paths directly without sufficient validation.

CVE Link
CVE Report

Originally created by @ankitdn on GitHub (Jan 6, 2026). Original GitHub issue: https://github.com/codexu/note-gen/issues/830 While working in note-gen project, I identified this vulnerability during a review of how external resources were loaded into PDFs. While testing user-supplied inputs for PDF generation, I noticed that the loadFile method accepts file paths directly without sufficient validation. [CVE Link](https://vulert.com/vuln-db/jspdf-has-local-file-inclusion-path-traversal-vulnerability) [CVE Report](https://vulert.com/vuln-scan/list/ec62a5ad-daa6-4c46-b40d-f70a2a8a8906)

kerem closed this issue 2026-03-02 03:40:53 +03:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

release

codex/file-agent-safety

codex/onboarding-guide

codex/record-filter-popover

codex/activity-calendar

codex/mcp-optimization

codex/local-speech-default

codex/fix-folder-paste-target

codex/agent-write-policy-session-confirm

pref/agent

fix/record-sync

feature/markdown-image-local-path

fix/editor-cursor-jump

fix/table-empty-cell-nbsp

feature/tiptap-search-replace

feature/folder-sync-tool

feature/sync-toggle-enhancement

feature/webdav-sync

feature/s3-sync

feature/editor-centered-content

feature/editor-undo-redo

fix/gitlab-sync-404

note-gen-v0.27.7

note-gen-v0.27.6

note-gen-v0.27.5

note-gen-v0.27.4

note-gen-v0.27.3

note-gen-v0.27.2

note-gen-v0.27.1

note-gen-v0.27.0

note-gen-v0.26.5

note-gen-v0.26.4

note-gen-v0.26.3

note-gen-v0.26.2

note-gen-v0.26.1

note-gen-v0.26.0

note-gen-v0.25.4

note-gen-v0.25.3

note-gen-v0.25.2

note-gen-v0.25.1

note-gen-v0.25.0

note-gen-v0.24.1

note-gen-v0.24.0

note-gen-v0.23.7

note-gen-v0.23.6

note-gen-v0.23.5

note-gen-v0.23.4

note-gen-v0.23.3

note-gen-v0.23.2

note-gen-v0.23.1

note-gen-v0.23.0

note-gen-v0.22.4

note-gen-v0.22.3

note-gen-v0.22.2

note-gen-v0.22.1

note-gen-v0.22.0

note-gen-v0.21.3

note-gen-v0.21.2

note-gen-v0.21.1

note-gen-v0.21.0

note-gen-v0.20.3

note-gen-v0.20.2

note-gen-v0.20.1

note-gen-v0.20.0

note-gen-v0.19.11

note-gen-v0.19.10

note-gen-v0.19.9

note-gen-v0.19.8

note-gen-v0.19.7

note-gen-v0.19.6

note-gen-v0.19.5

note-gen-v0.19.4

note-gen-v0.19.3

note-gen-v0.19.2

note-gen-v0.19.1

note-gen-v0.19.0

note-gen-v0.18.3

note-gen-v0.18.2

note-gen-v0.18.1

note-gen-v0.18.0

note-gen-v0.17.3

note-gen-v0.17.2

note-gen-v0.17.1

note-gen-v0.17.0

note-gen-v0.16.5

note-gen-v0.16.4

note-gen-v0.16.3

note-gen-v0.16.2

app-v0.16.1

app-v0.16.0

app-v0.15.0

app-v0.14.0

app-v0.13.7

app-v0.13.6

app-v0.13.5

app-v0.13.4

app-v0.13.3

app-v0.13.2

app-v0.13.1

app-v0.13.0

app-v0.12.4

app-v0.12.3

app-v0.12.2

app-v0.12.1

app-v0.12.0

app-v0.11.0

app-v0.10.8

app-v0.10.7

app-v0.10.6

app-v0.10.5

app-v0.10.4

app-v0.10.3

app-v0.10.2

app-v0.10.1

app-v0.10.0

app-v0.9.1

app-v0.9.0

app-v0.8.3

app-v0.8.2

app-v0.8.1

app-v0.8.0

app-v0.7.9

app-v0.7.8

app-v0.7.7

app-v0.7.6

app-v0.7.5

app-v0.7.4

app-v0.7.3

app-v0.7.2

app-v0.7.1

app-v0.7.0

app-v0.6.5

app-v0.6.4

app-v0.6.3

app-v0.6.2

app-v0.6.1

app-v0.6.0

app-v0.5.20

app-v0.5.19

app-v0.5.18

app-v0.5.17

app-v0.5.16

app-v0.5.14

app-v0.5.13

app-v0.5.12

app-v0.5.11

app-v0.5.10

app-v0.5.9

app-v0.5.8

app-v0.5.7

app-v0.5.6

app-v0.5.5

app-v0.5.4

app-v0.5.3

app-v0.5.2

app-v0.5.1

app-v0.5.0

app-v0.4.4

app-v0.4.3

app-v0.4.2

app-v0.4.1

app-v0.4.0

app-v0.3.0

app-v0.2.1

app-v0.2.0

app-v0.1.0

Labels

Clear labels   

bug

  

duplicate

  

feature

  

platform: Android

  

platform: Linux

  

platform: Windows

  

platform: iOS

  

platform: macOS

  

priority: high

  

priority: low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

No labels

bug

duplicate

feature

platform: Android

platform: Linux

platform: Windows

platform: iOS

platform: macOS

priority: high

priority: low

pull-request

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/note-gen#619

No description provided.