CVE-2026-41571 Note Mark: OIDC-registered users authenticated by submitting password "null"

Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...

Note Mark 授权问题漏洞

Note Mark is a web-based Markdown note-taking application developed by Leo Spratt. Versions of Note Mark prior to 0.19.3 had an authorization issue vulnerability. This vulnerability stemmed from the fact that notes and uploaded assets could still be accessed after public books were soft-deleted,...

Note Mark 授权问题漏洞

Note Mark is a web-based Markdown note-taking application developed by Leo Spratt. Version 0.19.2 of Note Mark contains an authorization vulnerability. This vulnerability stems from the IsPasswordMatch function falling back to a hardcoded bcrypt empty password placeholder, allowing unauthenticate...

CVE-2026-44522

creationtimestamp| type| source ---|---|--- 2026-05-02 14:27:54+00:00| published-proof-of-concept| https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3...

CVE-2026-40263

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerat...

Note Mark 安全漏洞

Note Mark is a web-based Markdown note-taking application developed by Leo Spratt. Versions of Note Mark prior to 0.19.1 contained a security vulnerability. This vulnerability stemmed from the asset download endpoint at /api/notes/noteID/assets/assetID, which did not register an authentication...

Note Mark 安全漏洞

Note Mark is a web-based Markdown note-taking application developed by Leo Spratt. Versions of Note Mark prior to 0.19.1 contained a security vulnerability. This vulnerability stemmed from the login endpoint only performing bcrypt password verification when a username was provided. This allowed...

Note Mark 安全漏洞

Note Mark is a web-based Markdown note-taking application developed by Leo Spratt. Versions of Note Mark prior to 0.19.1 contained security vulnerabilities. These vulnerabilities stemmed from the asset delivery handler’s inline handling of uploaded files and its reliance on magic bytes to detect...

CVE-2026-40265

CVE-2026-40265 affects Note Mark (versions

CVE-2026-40265 Note Mark has Broken Access Control on Asset Download

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/noteID/assets/assetID is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows...

CVE-2026-40265 Note Mark has Broken Access Control on Asset Download

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/noteID/assets/assetID is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows...

CVE-2026-40263 Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerat...

CVE-2026-40263

Note Mark: Timing-based username enumeration vulnerability in login endpoint. Versions

CVE-2026-40262

Note Mark suffers a stored XSS via unrestricted asset upload in versions

CVE-2026-40262 Note Mark has Stored XSS via Unrestricted Asset Upload

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an...

EUVD-2024-39203

Malicious code in bioql PyPI...

CVE-2024-41819

Note Mark is a web-based Markdown notes app. A stored cross-site scripting XSS vulnerability in Note Mark allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content. This vulnerability is fixed in 0.13.1...

CVE-2024-41819

Note Mark is a web-based Markdown notes app. A stored cross-site scripting XSS vulnerability in Note Mark allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content. This vulnerability is fixed in 0.13.1...

CVE-2024-41819 Note Mark has a stored XSS in the note link href attribute

Note Mark is a web-based Markdown notes app. A stored cross-site scripting XSS vulnerability in Note Mark allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content. This vulnerability is fixed in 0.13.1...

CVE-2024-41819

CVE-2024-41819 concerns Note Mark, a web-based Markdown notes app. The vulnerability is a stored XSS in the URL value of a link embedded in markdown content, allowing arbitrary web scripts to run when a user interacts with the rendered note. Affected versions are prior to 0.13.1; remediation is t...