Medium severity5.3GHSA Advisory· Published May 4, 2026· Updated May 7, 2026
CVE-2026-41572
CVE-2026-41572
Description
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw "JOIN books ..." clauses used by the note and asset queries. This issue has been patched in version 0.19.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/enchant97/note-mark/backendGo | < 0.0.0-20260417132843-d1bf845a2a2d | 0.0.0-20260417132843-d1bf845a2a2d |
Affected products
1Patches
1d1bf845a2a2dfix GHSA-3gr9-485j-v4xf
1 file changed · +20 −10
backend/services/books.go+20 −10 modified@@ -3,6 +3,7 @@ package services import ( "github.com/enchant97/note-mark/backend/db" "github.com/google/uuid" + "gorm.io/gorm" ) type BooksService struct{} @@ -63,14 +64,23 @@ func (s BooksService) UpdateBookByID( } func (s BooksService) DeleteBookByID(currentUserID uuid.UUID, bookID uuid.UUID) error { - result := db.DB. - Where("id = ? AND owner_id = ?", bookID, currentUserID). - Delete(&db.Book{}) - if err := result.Error; err != nil { - return dbErrorToServiceError(err) - } - if result.RowsAffected == 0 { - return NotFoundError - } - return nil + return db.DB.Transaction(func(tx *gorm.DB) error { + if err := tx. + Model(&db.Book{}). + Where("id = ? AND owner_id = ?", bookID, currentUserID). + Update("is_public", false). + Error; err != nil { + return dbErrorToServiceError(err) + } + result := tx. + Where("id = ? AND owner_id = ?", bookID, currentUserID). + Delete(&db.Book{}) + if err := result.Error; err != nil { + return dbErrorToServiceError(err) + } + if result.RowsAffected == 0 { + return NotFoundError + } + return nil + }) }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3gr9-485j-v4xfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41572ghsaADVISORY
- github.com/enchant97/note-mark/commit/d1bf845a2a2df01e2eca6f556287db4ec6f773cfghsaWEB
- github.com/enchant97/note-mark/releases/tag/v0.19.3nvdWEB
- github.com/enchant97/note-mark/security/advisories/GHSA-3gr9-485j-v4xfnvdWEB
News mentions
0No linked articles in our index yet.