ByteOS Network

NVD Vulnerability Details :

CVE-2026-41572

Received

Source-security-advisories@github.com

Published At-04 May, 2026 | 18:16

Updated At-04 May, 2026 | 20:16

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw "JOIN books ..." clauses used by the note and asset queries. This issue has been patched in version 0.19.3.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Weaknesses

CWE ID	Type	Source
CWE-285	Secondary	security-advisories@github.com

CWE ID: CWE-285

Type: Secondary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/enchant97/note-mark/releases/tag/v0.19.3	security-advisories@github.com	N/A
https://github.com/enchant97/note-mark/security/advisories/GHSA-3gr9-485j-v4xf	security-advisories@github.com	N/A
https://github.com/enchant97/note-mark/security/advisories/GHSA-3gr9-485j-v4xf	134c704f-9b21-4f2e-91b3-4a467353bcc0	N/A