CVE-2026-41572

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...

CVE-2026-41572

Note Mark (project: Note Mark) contains an authenticated/un-authenticated access flaw prior to version 0.19.3 where, after a public book is soft-deleted, notes and uploaded assets remain readable via /api/notes/{id}, /api/notes/{id}/content, the slug path, and asset endpoints. Root cause: GORM’s ...

EUVD-2026-27053

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...

CVE-2026-41572 Note Mark: Unauthenticated read of notes and assets in soft-deleted public books

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...

CVE-2026-41571 Note Mark: OIDC-registered users authenticated by submitting password "null"

Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...

CVE-2026-41571 Note Mark: OIDC-registered users authenticated by submitting password "null"

Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...

PT-2026-36891

Name of the Vulnerable Software and Affected Versions Note Mark versions prior to 0.19.3 Description An issue exists where notes and uploaded assets remain accessible after a public book is soft-deleted. Unauthenticated users with the note ID or slug path can access data via the endpoints...

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization via the GetNoteByID function. An attacker can access notes and assets from soft-deleted public books by directly querying endpoints with known note IDs or slug paths, even after the book has been deleted. This...

PT-2026-35503

Name of the Vulnerable Software and Affected Versions Note Mark versions prior to 0.19.3 Description An authentication bypass exists in the internal login endpoint. The IsPasswordMatch function in backend/db/models.go uses a hard-coded bcrypt"null" placeholder when a user has no stored password...

EUVD-2022-28777

Netaxis API Orchestrator APIO before 0.19.3 allows server side template injection SSTI...

PT-2025-51834

Name of the Vulnerable Software and Affected Versions Netaxis API Orchestrator APIO versions prior to 0.19.3 Description The Netaxis API Orchestrator APIO software contains a flaw that permits server side template injection SSTI. This issue could potentially allow an attacker to execute arbitrary...

Netaxis API Orchestrator 安全漏洞

Netaxis API Orchestrator is an API orchestration and automation platform from Netaxis Belgium. A security vulnerability exists in Netaxis API Orchestrator versions prior to 0.19.3 that stems from vulnerability to server-side template injection attacks...

CVE-2022-23851

CVE-2022-23851 affects Netaxis API Orchestrator (APIO) up to version 0.19.3 (pre-0.19.3). The vulnerability is a server-side template injection (SSTI) flaw that can impact confidentiality, integrity, and availability (CVSS v3.1 base score 9.8). Some sources note that this issue could potentially ...

EUVD-2005-3337

Malware in sbrugna...

PT-2024-32292 · Opendaylight · Opendaylight Authentication

Name of the Vulnerable Software and Affected Versions: OpenDaylight Authentication, Authorization and Accounting AAA versions through 0.19.3 Description: An issue was discovered in OpenDaylight Authentication, Authorization and Accounting AAA. A rogue controller can join a cluster to impersonate ...

CVE-2023-30533

SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected...

SheetJS 安全漏洞

SheetJS is a software application. A parser and writer for various spreadsheet formats. A security vulnerability exists in SheetJS Community Edition prior to version 0.19.3, which stems from a vulnerability that allows an attacker to prototype contamination by crafting files...

UBUNTU-CVE-2020-35605

The Graphics Protocol feature in graphics.c in kitty before 0.19.3 allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message...

PT-2020-5769 · Kitty +3 · Kitty +3

Name of the Vulnerable Software and Affected Versions: kitty versions prior to 0.19.3 Description: The Graphics Protocol feature in the graphics.c file of kitty allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message...

Gentoo Security Advisory GLSA 200510-24 (Mantis)

The remote host is missing updates announced in advisory GLSA 200510-24. SPDX-FileCopyrightText: 2008 E-Soft Inc. Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...