Security: enchant97/note-mark
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books in note-markGHSA-588f-fvcv-xhvf published
Jun 1, 2026 by enchant97Moderate -
Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p)GHSA-rqrh-8wpv-x7hh published
Jun 1, 2026 by enchant97High -
Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code ExecutionGHSA-g49p-4qxj-88v3 published
May 2, 2026 by enchant97High -
JWT Secret Weakness allows Full Account Takeover via token forgeryGHSA-q6mh-rqwh-g786 published
May 2, 2026 by enchant97Critical -
Unauthenticated read of notes and assets in soft-deleted public booksGHSA-3gr9-485j-v4xf published
Apr 22, 2026 by enchant97Moderate -
OIDC-registered users authenticated by submitting password "null"GHSA-pxf8-6wqm-r6hh published
Apr 22, 2026 by enchant97Critical -
Information Disclosure: Username Enumeration via Login Endpoint Timing Side-ChannelGHSA-w6m9-39cv-2fwp published
Apr 11, 2026 by enchant97Low -
Stored XSS via Unrestricted Asset UploadGHSA-9pr4-rf97-79qh published
Apr 11, 2026 by enchant97High -
Broken Access Control on Asset DownloadGHSA-p5w6-75f9-cc2p published
Apr 11, 2026 by enchant97Moderate -
Stored XSS in the note link href attributeGHSA-rm48-9mqf-8jc3 published
Jul 28, 2024 by enchant97Moderate