CVE-2026-40265
Note Mark has Broken Access Control on Asset Download
CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
0th
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private. This issue has been fixed in version 0.19.2.
| CWE | CWE-862 |
| Vendor | enchant97 |
| Product | note-mark |
| Published | Apr 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for enchant97 note-mark
Be the first to know when new medium vulnerabilities affecting enchant97 note-mark are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
enchant97 / note-mark
< 0.19.2