Directory Traversal Vulnerability in Note Mark by Enchant97
CVE-2026-44522

8.6HIGH

Key Information:

Vendor: Enchant97
Status: Note-mark
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-44522?

Note Mark, an open-source note-taking application, contains a directory traversal vulnerability that impacts versions from 0.13.0 to before 0.19.4. This security flaw arises from the improper handling of asset filenames provided through the X-Name HTTP request header during the upload process. These filenames are stored in the database without sufficient sanitization or validation. Consequently, when an administrator executes data export CLI commands, the unsanitized asset names are incorporated directly into file paths, allowing for the manipulation of directories outside the designated export location. This vulnerability has been addressed in version 0.19.4.

Affected Version(s)

note-mark >= 0.13.0, < 0.19.4

References

https://github.com/enchant97/note-mark/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44522 Data

JSON