RESEARCH Security findings and disclosure notes

ZeroQuarry Research.

Security findings, disclosure notes, and product-security analysis from the ZeroQuarry team.

feed://research LIVE

$ publish --mode responsible-disclosure

ok exploit details limited while users update

$ focus --surface plugin-ecosystems

ok markdown, local files, extensions, trust boundaries

$ cta --single "request private scan"

ok useful first, conversion second

ZeroQuarry Research May 8, 2026 Mitigation available

RCE via Markdown in the Obsidian Tasks Plugin

ZeroQuarry identified a critical RCE path in the Obsidian Tasks plugin and coordinated disclosure with Obsidian and the plugin maintainer. This writeup explains the impact, disclosure process, mitigation tradeoff, and lessons for plugin ecosystems.

Read the research ->