CVE-2026-44522

Name of the Vulnerable Software and Affected Versions Note Mark versions 0.13.0 through 0.19.3

Description Authenticated users can upload assets to notes via the "/api/notes/{noteID}/assets" endpoint. The application stores the asset filename provided in the X-Name HTTP request header directly in the database without sanitization, failing to filter path separators or directory traversal sequences.

When an administrator executes the data export CLI commands note-mark migrate export-v1 or note-mark migrate export, the stored filename is used in filepath.Join() and path.Join() calls. Because these functions resolve ../ sequences, an attacker can cause the export process to write files to arbitrary locations on the filesystem. Since the export process often runs with root privileges, this can lead to Remote Code Execution by overwriting critical system binaries like /bin/bash or modifying systemd unit files and cron jobs.

Recommendations Update to version 0.19.4. As a temporary workaround, restrict the use of the X-Name header to ensure it contains no path separators or directory traversal sequences before uploading assets.