CVE-2025-50738 The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking.  this input will attempt on rendering the image directly with any given url. So any user viewing this memo will trigger the vulnerability.  Additional information: after further analysis, the impact goes beyond simple IP tracking, as the user's browser is actively directed to interact with a URL of the attacker's choice, potentially leading to the client fetching and processing malicious content. Mitigation would typically involve an image proxy, a stricter Content Security Policy, or user controls over automatic loading of external images. remark: hackmd also suffer from this Lets say you would see a image error in the below image. But it is a link to the webhook site.