{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/affine/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["xss","vulnerability","affine"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA cybersecurity researcher discovered two critical XSS vulnerabilities in AFFiNE, a self-hosted alternative to Notion, which has 66k stars on GitHub. The vulnerabilities include a reflected XSS in the \u003ccode\u003e/image-proxy\u003c/code\u003e endpoint and a stored XSS vulnerability in bookmark cards. The \u003ccode\u003e/image-proxy\u003c/code\u003e endpoint vulnerability allows unauthenticated users to fetch arbitrary URLs and reflect the URL headers in the response, potentially leaking internal IP addresses. The stored XSS vulnerability enables attackers to insert JavaScript links within bookmark cards. The researcher reported that the AFFiNE maintainers have been unresponsive to vulnerability reports for months, despite ongoing commits to the repository, raising concerns about the security of AFFiNE users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an AFFiNE instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting the \u003ccode\u003e/image-proxy\u003c/code\u003e endpoint with a payload designed to reflect arbitrary headers, possibly revealing internal network information.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted URL to a victim, or the attacker directly accesses the vulnerable endpoint if internal IP leakage is the goal.\u003c/li\u003e\n\u003cli\u003eThe AFFiNE server fetches the URL and reflects the attacker-controlled headers in the response, leading to XSS execution in the victim\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a bookmark card containing a \u0026ldquo;javascript:\u0026rdquo; link.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the malicious bookmark card within AFFiNE.\u003c/li\u003e\n\u003cli\u003eWhen a user clicks on the malicious bookmark card, the injected JavaScript code executes within their browser session, enabling further malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker can then steal cookies, redirect the user, or perform other actions within the context of the AFFiNE application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the reflected XSS vulnerability can expose internal IP addresses of AFFiNE instances, potentially affecting all users of the self-hosted application. The stored XSS vulnerability can lead to account takeover, data theft, or further propagation of malicious content within the AFFiNE workspace. AFFiNE has 66k stars on GitHub, indicating a significant user base, making the impact potentially widespread. The affected sectors are broad, as AFFiNE is a general-purpose productivity tool.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the \u003ccode\u003e/image-proxy\u003c/code\u003e endpoint at the network or proxy level as a temporary mitigation for the reflected XSS vulnerability, as suggested by the researcher.\u003c/li\u003e\n\u003cli\u003eEducate users to avoid clicking on links starting with \u0026ldquo;javascript:\u0026rdquo; in bookmark cards to prevent exploitation of the stored XSS vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect access to the vulnerable \u003ccode\u003e/image-proxy\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect bookmark cards with suspicious JavaScript links.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T12:09:56Z","date_published":"2026-03-19T12:09:56Z","id":"/briefs/2026-03-affine-xss/","summary":"Two critical XSS vulnerabilities, Reflected XSS in the /image-proxy endpoint and Stored XSS in bookmark cards, were discovered in AFFiNE, a self-hosted alternative to Notion, with the vendor being unresponsive.","title":"Critical XSS Vulnerabilities in AFFiNE","url":"https://feed.craftedsignal.io/briefs/2026-03-affine-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Affine","version":"https://jsonfeed.org/version/1.1"}