← Voltar para CVEs
CVE-2026-40265
MEDIUM5.9
Descricao
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private. This issue has been fixed in version 0.19.2.
Detalhes CVE
Pontuacao CVSS v3.15.9
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vetor de ataqueNETWORK
ComplexidadeHIGH
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado4/17/2026
Ultima modificacao4/17/2026
Fontenvd
Avistamentos honeypot0
Fraquezas (CWE)
CWE-862
Referencias
https://github.com/enchant97/note-mark/commit/6593898855add151eb9965d96998b05e14c62026(security-advisories@github.com)
https://github.com/enchant97/note-mark/releases/tag/v0.19.2(security-advisories@github.com)
https://github.com/enchant97/note-mark/security/advisories/GHSA-p5w6-75f9-cc2p(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.