Vulnerability Description
Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)). When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go's filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory. This vulnerability is fixed in 0.19.4.
Related Weaknesses (CWE)
References
- https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3
- https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3
FAQ
What is CVE-2026-44522?
CVE-2026-44522 is a documented vulnerability. Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, w...
How severe is CVE-2026-44522?
CVSS scoring is not yet available for CVE-2026-44522. Check NVD for updates.
Is there a patch for CVE-2026-44522?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.