Two vulnerabilities have been identified in Note Mark, including an unauthenticated information disclosure issue and a path traversal vulnerability. The first flaw allows unauthenticated attackers to access metadata of soft-deleted notes from public books by abusing the deleted=true parameter, bypassing intended deletion restrictions. The second vulnerability exists due to improper validation of book and note slug values, allowing attackers to inject path traversal sequences that can escape the intended export directory during migration operations, potentially leading to arbitrary file creation and privilege escalation when exports are executed with elevated permissions.
CVE-2026-50554 (CVSS 5.3 — Medium): An unauthenticated attacker can disclose soft-deleted note metadata via a public book with deleted=true.[/subscribe_to_unlock_form]
Two vulnerabilities have been identified in Note Mark, including an unauthenticated information disclosure issue and a path traversal vulnerability. The first flaw allows unauthenticated attackers to access metadata of soft-deleted notes from public books by abusing the deleted=true parameter, bypassing intended deletion restrictions. The second vulnerability exists due to improper validation of book and note slug values, allowing attackers to inject path traversal sequences that can escape the intended export directory during migration operations, potentially leading to arbitrary file creation and privilege escalation when exports are executed with elevated permissions.
CVE-2026-50554 (CVSS 5.3 — Medium): An unauthenticated attacker can disclose soft-deleted note metadata via a public book with deleted=true.[emaillocker id="1283"]
CVE-2026-50553 (CVSS 8.6 — High): A path traversal vulnerability in Note Mark's migration export functionality allows attackers to access sibling directories due to unsanitized book and note slug values.
We strongly recommend you update github.com/enchant97/note-mark/backend to below version: • CVE-2026-50554: https://github.com/advisories/GHSA-588f-fvcv-xhvf • CVE-2026-50553: https://github.com/advisories/GHSA-rqrh-8wpv-x7hh
The following reports contain further technical details:
[/emaillocker]