CVE Catalog

CVE-2026-44523

Critical
Published: Translated: NVD NIST

Summary

The Note Mark application prior to version 0.19.4 does not enforce minimum length or entropy for the JWT_SECRET configuration value. It allows any base64-decodable secret, including secrets as short as 1 byte.

Risk Assessment

The lack of proper length and entropy requirements for the secret can lead to easy compromise of security, posing a risk of unauthorized access to user data.

Recommendation

It is recommended to update the application to version 0.19.4 or later to ensure proper security for the JWT_SECRET value.

Original NVD description (English source)

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS