43 matches found
CVE-2026-41571
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...
CVE-2026-44522
Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...
CVE-2026-44523
Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWTSECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4...
Inadequate Encryption Strength
Overview Affected versions of this package are vulnerable to Inadequate Encryption Strength due to insufficient enforcement of length and entropy requirements for the JWTSECRET configuration value. An attacker can gain unauthorized access to user accounts by forging authentication tokens using we...
CVE-2026-44523
Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWTSECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4...
CVE-2026-44522
Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...
EUVD-2026-30370
Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...
CVE-2026-44522
Vulnerability summary (CVE-2026-44522) Note Mark up to 0.19.3 allows authenticated users to upload assets with a crafted X-Name header containing directory traversal. The asset name is stored in the database without validation, and is later passed directly to filepath.Join()/path.Join() during ex...
CVE-2026-44522 Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution
Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...
CVE-2026-44522 Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution
Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...
CVE-2026-44523 Note Mark: JWT Secret Weakness allows Full Account Takeover via token forgery
Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWTSECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4...
CVE-2026-44523
CVE-2026-44523 affects Note Mark, with all versions before 0.19.4 vulnerable to a JWT secret weakness. The root cause is that the JWT secret is not validated for minimum length or entropy; the application accepts any base64-decodable secret, even as short as 1 byte. In backend/config/utils.go, Ba...
CVE-2026-44523 Note Mark: JWT Secret Weakness allows Full Account Takeover via token forgery
Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWTSECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4...
EUVD-2026-30367
Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWTSECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4...
Note Mark 加密问题漏洞
Note Mark is a web-based Markdown note-taking application developed by Leo Spratt. Versions of Note Mark prior to 0.19.4 contained a security vulnerability related to encryption. This vulnerability stemmed from the JWTSECRET configuration value not having a mandatory minimum length or entropy,...
Note Mark 输入验证错误漏洞
Note Mark is a web-based Markdown note-taking application developed by Leo Spratt. Versions of Note Mark from 0.13.0 to 0.19.4 contained a vulnerability related to input validation errors. This vulnerability stemmed from the lack of cleaning and validation of asset file names, which could lead to...
CVE-2026-41571
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...
CVE-2026-41572
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...
CVE-2026-41572
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...
CVE-2026-41572 Note Mark: Unauthenticated read of notes and assets in soft-deleted public books
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...