{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/note-mark--v0.19.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Note Mark \u003c= v0.19.4"],"_cs_severities":["high"],"_cs_tags":["path-traversal","privilege-escalation","web-application","rce","go","linux"],"_cs_type":"advisory","_cs_vendors":["Enchant97"],"content_html":"\u003cp\u003eNote Mark, a note-taking application developed by Enchant97, is affected by CVE-2026-50553, a critical path traversal vulnerability present in versions up to and including v0.19.4. This vulnerability stems from an unanchored regex pattern (\u003ccode\u003e[a-z0-9-]+\u003c/code\u003e) used for validating 'slug' parameters in book and note creation APIs, allowing malicious input such as \u003ccode\u003e../../../../../../tmp/escape\u003c/code\u003e to be accepted and stored verbatim. When an administrator subsequently runs the \u003ccode\u003enote-mark migrate export\u003c/code\u003e or \u003ccode\u003eexport-v1\u003c/code\u003e CLI commands - often with root privileges in environments like Docker - the application uses \u003ccode\u003epath.Join\u003c/code\u003e with these unsanitized slugs, resolving the traversal sequences. This allows an authenticated attacker to cause arbitrary directories to be created and files written to locations outside the designated export directory, enabling privilege escalation to root through mechanisms like writing to \u003ccode\u003e/etc/cron.d/\u003c/code\u003e or systemd unit directories. The vulnerability is a sibling of GHSA-g49p-4qxj-88v3, affecting similar code paths within the export functionality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker, as a low-privilege authenticated user, registers or logs into a Note Mark instance.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/api/books\u003c/code\u003e or \u003ccode\u003e/api/notes\u003c/code\u003e endpoint, including a crafted \u003ccode\u003eslug\u003c/code\u003e parameter containing directory traversal sequences (e.g., \u003ccode\u003e../../../../../../etc/cron.d/x\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eNote Mark's OpenAPI/huma validation, due to an unanchored \u003ccode\u003epattern:\u0026quot;[a-z0-9-]+\u0026quot;\u003c/code\u003e regex, incorrectly validates and accepts the malicious slug.\u003c/li\u003e\n\u003cli\u003eThe application stores this malicious slug verbatim in its database, associated with the attacker's created book or note.\u003c/li\u003e\n\u003cli\u003eAt a later time, an administrator executes the \u003ccode\u003enote-mark migrate export\u003c/code\u003e or \u003ccode\u003enote-mark migrate export-v1\u003c/code\u003e CLI command, typically with root privileges (e.g., in a Docker container).\u003c/li\u003e\n\u003cli\u003eDuring the export process, the application uses \u003ccode\u003epath.Join\u003c/code\u003e to construct file paths, incorporating the unsanitized, malicious slug retrieved from the database.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003epath.Join\u003c/code\u003e resolves the \u003ccode\u003e../\u003c/code\u003e segments, causing \u003ccode\u003eos.MkdirAll\u003c/code\u003e to create an attacker-controlled directory and \u003ccode\u003eos.Create\u003c/code\u003e to write the note's \u003ccode\u003e_index.md\u003c/code\u003e file to an arbitrary location outside the intended export directory (e.g., \u003ccode\u003e/etc/cron.d/x\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eBy writing to critical system directories, the attacker achieves arbitrary code execution as root, enabling privilege escalation and persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows any registered user to facilitate arbitrary file writes with root privileges on the server hosting Note Mark, given that an administrator later performs a routine data export. If the export command is run as root (a common practice in Docker deployments or by system administrators), an attacker can write malicious cron jobs (\u003ccode\u003e/etc/cron.d/\u003c/code\u003e) or systemd unit files to achieve remote code execution as root. The potential damage includes full system compromise, data theft, or system disruption. This vulnerability poses a direct and severe risk to the integrity and confidentiality of the affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-50553 immediately by upgrading Note Mark to a version beyond v0.19.4 that includes the fix for GHSA-rqrh-8wpv-x7hh.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect Note Mark Path Traversal Attempt (CVE-2026-50553)\u003c/code\u003e Sigma rule to your SIEM to identify attempts to inject malicious slugs via the API.\u003c/li\u003e\n\u003cli\u003eEnsure that log sources for \u003ccode\u003ewebserver\u003c/code\u003e category are properly configured to capture HTTP request details, including method, URI stem, and query parameters, to activate the rule above.\u003c/li\u003e\n\u003cli\u003eRegularly review administrative practices to ensure that backup and export operations are performed with the minimum necessary privileges and within isolated environments where possible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T13:43:34Z","date_published":"2026-07-09T13:43:34Z","id":"https://feed.craftedsignal.io/briefs/2026-07-note-mark-path-traversal/","summary":"A low-privilege authenticated user can exploit CVE-2026-50553, a path traversal vulnerability in Note Mark versions up to v0.19.4, by crafting a malicious 'slug' parameter in API requests, leading to arbitrary file write outside the intended export directory when an administrator runs the 'migrate export' command, potentially allowing root-level privilege escalation and code execution.","title":"Note Mark Path Traversal Vulnerability (CVE-2026-50553)","url":"https://feed.craftedsignal.io/briefs/2026-07-note-mark-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Note Mark \u003c= V0.19.4","version":"https://jsonfeed.org/version/1.1"}