Description
Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)). When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go's filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory. This vulnerability is fixed in 0.19.4.
Published: 2026-05-14
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Authenticated users can upload an asset by supplying an arbitrary filename in the X-Name header. The application stores this name without validation, allowing attackers to embed path traversal sequences. When an administrator later exports data, the unsanitized name is fed into filepath.Join() and path.Join(), causing the export process to write files to arbitrary locations on the host, enabling the attacker to place files where they can be executed or otherwise compromise the system. This flaw maps to CWE‑20 (Improper Input Validation) and CWE‑22 (Path Traversal).

Affected Systems

The vulnerability affects Note Mark versions 0.13.0 through 0.19.3 inclusive. The affected product is the open‑source Note Mark note‑taking application developed by enchant97. All users who can upload assets via the API and those with administrator privileges who run the export command are susceptible. Versions 0.19.4 and newer contain the fix.

Risk and Exploitability

The CVSS score of 8.6 signals high severity. EPSS information is currently unavailable, but the flaw is not listed in the CISA KEV catalog. The attack requires authentication and the ability to use the API for asset upload followed by an administrator running the CLI export command; thus the vector is local to the application’s authenticated realm but can lead to full system compromise once exploited.

Generated by OpenCVE AI on May 14, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Note Mark to version 0.19.4 or later.
  • Configure or restrict export command usage so that only trusted administrators can invoke it.
  • Enforce strict validation of asset filenames, rejecting names containing path separators or traversal sequences before storing or exporting.

Generated by OpenCVE AI on May 14, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g49p-4qxj-88v3 Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution
History

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Enchant97
Enchant97 note-mark
Vendors & Products Enchant97
Enchant97 note-mark

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)). When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go's filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory. This vulnerability is fixed in 0.19.4.
Title Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution
Weaknesses CWE-20
CWE-22
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Enchant97 Note-mark
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:44:31.854Z

Reserved: 2026-05-06T19:38:10.566Z

Link: CVE-2026-44522

cve-icon Vulnrichment

Updated: 2026-05-14T19:43:48.632Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T19:16:37.330

Modified: 2026-05-15T14:44:49.877

Link: CVE-2026-44522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:45:28Z

Weaknesses