Lucene search
K

50 matches found

Circl
Circl
added 5 days ago8 views

CVE-2026-50554

creationtimestamp| type| source ---|---|--- 2026-07-09 14:35:10+00:00| published-proof-of-concept| https://github.com/enchant97/note-mark/security/advisories/GHSA-588f-fvcv-xhvf...

5.9AI score0.00048EPSS
Exploits0References1
OSV
OSV
added 2026/06/25 10:34 p.m.3 views

GO-2026-5557 Note Mark: OIDC-registered users authenticated by submitting password "null" in github.com/enchant97/note-mark/backend

Note Mark: OIDC-registered users authenticated by submitting password "null" in github.com/enchant97/note-mark/backend...

9.4CVSS5.8AI score0.00296EPSS
Exploits0References4
OSV
OSV
added 2026/06/25 10:34 p.m.5 views

GO-2026-5530 Note Mark has Broken Access Control on Asset Download in github.com/enchant97/note-mark/backend

Note Mark has Broken Access Control on Asset Download in github.com/enchant97/note-mark/backend...

5.9CVSS5.8AI score0.00409EPSS
Exploits0References4
OSV
OSV
added 2026/06/25 10:34 p.m.4 views

GO-2026-5567 Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery in github.com/enchant97/note-mark/backend

Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery in github.com/enchant97/note-mark/backend...

10CVSS5.8AI score0.00124EPSS
Exploits0References4
OSV
OSV
added 2026/06/25 6:43 p.m.5 views

GO-2026-5389 Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution in github.com/enchant97/note-mark/backend

Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution in github.com/enchant97/note-mark/backend...

8.6CVSS6AI score0.00495EPSS
Exploits0References3
OSV
OSV
added 2026/06/25 6:43 p.m.4 views

GO-2026-5295 Note Mark has Stored XSS via Unrestricted Asset Upload in github.com/enchant97/note-mark/backend

Note Mark has Stored XSS via Unrestricted Asset Upload in github.com/enchant97/note-mark/backend...

8.7CVSS5.8AI score0.00309EPSS
Exploits0References4
OSV
OSV
added 2026/06/25 6:26 p.m.5 views

GO-2026-5085 Note Mark: Unauthenticated read of notes and assets in soft-deleted public books in github.com/enchant97/note-mark/backend

Note Mark: Unauthenticated read of notes and assets in soft-deleted public books in github.com/enchant97/note-mark/backend...

5.3CVSS5.8AI score0.00194EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.10 views

CVE-2026-41571

Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...

9.4CVSS5.3AI score0.00296EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:12 p.m.10 views

CVE-2026-44522

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...

8.6CVSS5.7AI score0.00495EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/15 7:57 p.m.12 views

CVE-2026-44523

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWTSECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4...

10CVSS5.8AI score0.00124EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/14 9:25 p.m.9 views

Inadequate Encryption Strength

Overview Affected versions of this package are vulnerable to Inadequate Encryption Strength due to insufficient enforcement of length and entropy requirements for the JWTSECRET configuration value. An attacker can gain unauthorized access to user accounts by forging authentication tokens using we...

10CVSS5.8AI score0.00124EPSS
Exploits0References2
NVD
NVD
added 2026/05/14 7:16 p.m.14 views

CVE-2026-44523

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWTSECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4...

10CVSS0.00124EPSS
Exploits0References1
NVD
NVD
added 2026/05/14 7:16 p.m.41 views

CVE-2026-44522

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...

8.6CVSS0.00495EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/14 6:44 p.m.13 views

EUVD-2026-30370

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...

8.6CVSS6AI score0.00495EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/14 6:44 p.m.8 views

CVE-2026-44522 Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...

8.6CVSS6AI score0.00495EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/14 6:44 p.m.53 views

CVE-2026-44522 Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...

8.6CVSS0.00495EPSS
Exploits0References1
CVE
CVE
added 2026/05/14 6:44 p.m.28 views

CVE-2026-44522

Vulnerability summary (CVE-2026-44522) Note Mark up to 0.19.3 allows authenticated users to upload assets with a crafted X-Name header containing directory traversal. The asset name is stored in the database without validation, and is later passed directly to filepath.Join()/path.Join() during ex...

8.6CVSS6AI score0.00495EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/14 6:42 p.m.9 views

CVE-2026-44523 Note Mark: JWT Secret Weakness allows Full Account Takeover via token forgery

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWTSECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4...

10CVSS5.8AI score0.00124EPSS
Exploits0References1
CVE
CVE
added 2026/05/14 6:42 p.m.26 views

CVE-2026-44523

CVE-2026-44523 affects Note Mark, with all versions before 0.19.4 vulnerable to a JWT secret weakness. The root cause is that the JWT secret is not validated for minimum length or entropy; the application accepts any base64-decodable secret, even as short as 1 byte. In backend/config/utils.go, Ba...

10CVSS5.8AI score0.00124EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/14 6:42 p.m.8 views

EUVD-2026-30367

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWTSECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4...

10CVSS5.8AI score0.00124EPSS
Exploits0References1
Rows per page
Query Builder