Lucene search
K

8 matches found

OSV
OSV
added 2026/06/25 6:26 p.m.3 views

GO-2026-5085 Note Mark: Unauthenticated read of notes and assets in soft-deleted public books in github.com/enchant97/note-mark/backend

Note Mark: Unauthenticated read of notes and assets in soft-deleted public books in github.com/enchant97/note-mark/backend...

5.3CVSS5.8AI score0.00194EPSS
Exploits0References4
NVD
NVD
added 2026/05/04 6:16 p.m.6 views

CVE-2026-41572

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...

5.3CVSS0.00194EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/04 5:44 p.m.55 views

CVE-2026-41572 Note Mark: Unauthenticated read of notes and assets in soft-deleted public books

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...

5.3CVSS0.00194EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/04 5:44 p.m.5 views

CVE-2026-41572 Note Mark: Unauthenticated read of notes and assets in soft-deleted public books

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...

5.3CVSS5.7AI score0.00194EPSS
Exploits0References2
CVE
CVE
added 2026/05/04 5:44 p.m.19 views

CVE-2026-41572

Note Mark (project: Note Mark) contains an authenticated/un-authenticated access flaw prior to version 0.19.3 where, after a public book is soft-deleted, notes and uploaded assets remain readable via /api/notes/{id}, /api/notes/{id}/content, the slug path, and asset endpoints. Root cause: GORM’s ...

5.3CVSS5.7AI score0.00194EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/25 11:40 p.m.3 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization via the GetNoteByID function. An attacker can access notes and assets from soft-deleted public books by directly querying endpoints with known note IDs or slug paths, even after the book has been deleted. This...

6.9CVSS5.7AI score0.00194EPSS
Exploits0References2
OSV
OSV
added 2026/04/25 11:40 p.m.6 views

GHSA-3GR9-485J-V4XF Note Mark: Unauthenticated read of notes and assets in soft-deleted public books

Summary After a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not...

5.3CVSS5.8AI score0.00194EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/25 11:40 p.m.22 views

Note Mark: Unauthenticated read of notes and assets in soft-deleted public books

Summary After a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not...

5.3CVSS5.8AI score0.00194EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder