CVE-2026-41572

Name of the Vulnerable Software and Affected Versions Note Mark versions prior to 0.19.3

Description An issue exists where notes and uploaded assets remain accessible after a public book is soft-deleted. Unauthenticated users with the note ID or slug path can access data via the endpoints "/api/notes/{id}", "/api/notes/{id}/content", the slug URL, and asset endpoints. This occurs because the soft-delete scope of GORM (an Object-Relational Mapper for Go) does not apply to the raw "JOIN books ..." clauses used in note and asset queries.

Recommendations Update to version 0.19.3.