Obsidian has a major vulnerability

pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Therefore, when obsidian loads a malicious PDF, it will cause the command to execute

Already fixed in the latest insider build, 1.6.1

Duplicate of: CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js