CRITICAL10.0CVE-2026-44523Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery from 0, < 0.0.0-20260501152247-18b587758667
CRITICAL9.4CVE-2026-41571Note Mark: OIDC-registered users authenticated by submitting password "null" from 0, < 0.0.0-20260417132909-dea5530cc989
HIGH8.7Note Mark has Stored XSS via Unrestricted Asset Upload
from 0, < 0.0.0-20260411145018-6bb62842ccb9
MEDIUM5.9Note Mark has Broken Access Control on Asset Download
from 0, < 0.0.0-20260411145023-6593898855ad
MEDIUM5.3Note Mark: Unauthenticated read of notes and assets in soft-deleted public books
from 0, < 0.0.0-20260417132843-d1bf845a2a2d
LOW3.7Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel
from 0, < 0.19.2-0.20260411145025-cf4c6f6acf70
—Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution
from 0, < 0.0.0-20260501152243-db3f72bff780