CVE-2026-44522

Source
https://cve.org/CVERecord?id=CVE-2026-44522
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44522.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44522
Aliases
Published
2026-05-14T18:44:35.887Z
Modified
2026-07-08T08:05:14.690563259Z
Severity
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution
Details

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)). When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go's filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory. This vulnerability is fixed in 0.19.4.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44522.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20",
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/enchant97/note-mark

Affected ranges

Type
GIT
Repo
https://github.com/enchant97/note-mark
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "0.13.0"
        },
        {
            "fixed": "0.19.4"
        },
        {
            "introduced": "0"
        }
    ]
}

Affected versions

v0.*
v0.13.0
v0.13.1
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.15.4
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.17.0
v0.17.1
v0.18.0
v0.19.0
v0.19.1
v0.19.2
v0.19.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44522.json"