CVE-2026-44522— Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution

Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)). When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go's filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory. This vulnerability is fixed in 0.19.4.

N/A

输入验证不恰当

Note Mark 输入验证错误漏洞

Note Mark是Leo Spratt个人开发者的一个基于网络的Markdown笔记应用程序。 Note Mark 0.13.0至0.19.4之前版本存在输入验证错误漏洞，该漏洞源于资产文件名未进行清理和验证，可能导致目录遍历攻击，写入任意文件。

N/A

N/A