Medium severity5.3GHSA Advisory· Published May 4, 2026· Updated May 7, 2026
CVE-2026-41572
CVE-2026-41572
Description
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw "JOIN books ..." clauses used by the note and asset queries. This issue has been patched in version 0.19.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/enchant97/note-mark/backendGo | < 0.0.0-20260417132843-d1bf845a2a2d | 0.0.0-20260417132843-d1bf845a2a2d |
Affected products
2- ghsa-coordsRange: < 0.0.0-20260417132843-d1bf845a2a2d
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-3gr9-485j-v4xfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41572ghsaADVISORY
- github.com/enchant97/note-mark/commit/d1bf845a2a2df01e2eca6f556287db4ec6f773cfghsaWEB
- github.com/enchant97/note-mark/releases/tag/v0.19.3nvdWEB
- github.com/enchant97/note-mark/security/advisories/GHSA-3gr9-485j-v4xfnvdWEB
News mentions
0No linked articles in our index yet.