Description

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private. This issue has been fixed in version 0.19.2.

INFO

Published Date :

2026-04-16T23:56:02.961Z

Last Modified :

2026-04-16T23:56:02.961Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40265 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40265.

URL Resource
https://github.com/enchant97/note-mark/commit/6593898855add151eb9965d96998b05e14c62026 cve-icon cve-icon
https://github.com/enchant97/note-mark/releases/tag/v0.19.2 cve-icon cve-icon
https://github.com/enchant97/note-mark/security/advisories/GHSA-p5w6-75f9-cc2p cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact