VYPR

Go modules package

github.com/enchant97/note-mark/backend

pkg:golang/github.com/enchant97/note-mark/backend

Vulnerabilities (5)

  • CVE-2026-41572MedMay 4, 2026
    affected < 0.0.0-20260417132843-d1bf845a2a2dfixed 0.0.0-20260417132843-d1bf845a2a2d

    Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated caller

  • CVE-2026-41571CriMay 4, 2026
    affected < 0.0.0-20260417132909-dea5530cc989fixed 0.0.0-20260417132909-dea5530cc989

    Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who su

  • CVE-2026-40265MedApr 17, 2026
    affected < 0.0.0-20260411145023-6593898855adfixed 0.0.0-20260411145023-6593898855ad

    Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthent

  • CVE-2026-40263LowApr 17, 2026
    affected < 0.19.2-0.20260411145025-cf4c6f6acf70fixed 0.19.2-0.20260411145025-cf4c6f6acf70

    Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated atta

  • CVE-2026-40262HigApr 17, 2026
    affected < 0.0.0-20260411145018-6bb62842ccb9fixed 0.0.0-20260411145018-6bb62842ccb9

    Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are