Vulnerability Details : CVE-2022-40276
Potential exploit
Zettlr version 2.3.0 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Zettlr. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.
Products affected by CVE-2022-40276
- cpe:2.3:a:zettlr:zettlr:2.3.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-40276
0.03%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-40276
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-05-02 |
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2022-40276
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2022-40276
-
https://fluidattacks.com/advisories/avicii/
Zettlr 2.3.0 - Local File Read | Advisories | Fluid AttacksExploit;Third Party Advisory
-
https://github.com/Zettlr/Zettlr
GitHub - Zettlr/Zettlr: A Markdown Editor for the 21st century.Product;Third Party Advisory
Jump to