Go modules package
github.com/enchant97/note-mark/backend
pkg:golang/github.com/enchant97/note-mark/backend
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41572 | Med | 5.3 | < 0.0.0-20260417132843-d1bf845a2a2d | 0.0.0-20260417132843-d1bf845a2a2d | May 4, 2026 | Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated caller | |
| CVE-2026-41571 | Cri | 9.4 | < 0.0.0-20260417132909-dea5530cc989 | 0.0.0-20260417132909-dea5530cc989 | May 4, 2026 | Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who su | |
| CVE-2026-40265 | Med | 5.9 | < 0.0.0-20260411145023-6593898855ad | 0.0.0-20260411145023-6593898855ad | Apr 17, 2026 | Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthent | |
| CVE-2026-40263 | Low | 3.7 | < 0.19.2-0.20260411145025-cf4c6f6acf70 | 0.19.2-0.20260411145025-cf4c6f6acf70 | Apr 17, 2026 | Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated atta | |
| CVE-2026-40262 | Hig | 8.7 | < 0.0.0-20260411145018-6bb62842ccb9 | 0.0.0-20260411145018-6bb62842ccb9 | Apr 17, 2026 | Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are |
- affected < 0.0.0-20260417132843-d1bf845a2a2dfixed 0.0.0-20260417132843-d1bf845a2a2d
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated caller
- affected < 0.0.0-20260417132909-dea5530cc989fixed 0.0.0-20260417132909-dea5530cc989
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who su
- affected < 0.0.0-20260411145023-6593898855adfixed 0.0.0-20260411145023-6593898855ad
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthent
- affected < 0.19.2-0.20260411145025-cf4c6f6acf70fixed 0.19.2-0.20260411145025-cf4c6f6acf70
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated atta
- affected < 0.0.0-20260411145018-6bb62842ccb9fixed 0.0.0-20260411145018-6bb62842ccb9
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are