CVE-2026-41572

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...

CVE-2026-41572 Note Mark: Unauthenticated read of notes and assets in soft-deleted public books

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...

CVE-2026-32938

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to a missing authorization that allows access to assets. An attacker can access and download sensitive files and view their metadata by sending requests as an authenticated user without the necessary permission...

EUVD-2020-0534

Malware in sbrugna...

CVE-2025-30215

CVE-2025-30215 affects NATS-Server. In versions 2.2.0 through just before 2.10.27 and 2.11.1, the management of JetStream assets via the $JS namespace in the system account was partially exposed to regular accounts. This allowed certain JS API requests with management permissions in any account t...