Note Mark: Arbitrary File Write via Path Traversal in Asset...

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)). When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go's filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory. This vulnerability is fixed in 0.19.4.

AI Analysis

Arbitrary file write via path traversal in asset names, allowing remote code execution

Basic Information

ID CVE-2026-44522

Source GitHub_M

Published May 14, 2026 at 18:44

Modified May 14, 2026 at 19:44

Affected Product

Vendor enchant97

Product note-mark

Version >= 0.13.0, < 0.19.4

Affected Versions enchant97 note-mark >= 0.13.0, < 0.19.4

CWE Classification

CWE-20 CWE-22

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor enchant97

Product note-mark

Version 0.13.0 to 0.19.3

References

github.com /enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3

{
    "lastseen": "",
    "description": "Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)). When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go's filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory. This vulnerability is fixed in 0.19.4.",
    "published": "2026-05-14T18:44:35.887Z",
    "modified": "2026-05-14T19:44:31.854Z",
    "type": "cve",
    "title": "Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution",
    "source": "GitHub_M",
    "references": "https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3",
    "id": "CVE-2026-44522",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20",
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "enchant97 note-mark >= 0.13.0, < 0.19.4",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "note-mark",
    "version": ">= 0.13.0, < 0.19.4",
    "vendor": "enchant97",
    "ai_description": "Arbitrary file write via path traversal in asset names, allowing remote code execution",
    "ai_severity": "High",
    "ai_vendor": "enchant97",
    "ai_product": "note-mark",
    "ai_version": "0.13.0 to 0.19.3",
    "ai_score": 8.6
}

Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution_CVE-2026-44522