CVE-2026-44523
CriticalSummary
The Note Mark application prior to version 0.19.4 does not enforce minimum length or entropy for the JWT_SECRET configuration value. It allows any base64-decodable secret, including secrets as short as 1 byte.
Risk Assessment
The lack of proper length and entropy requirements for the secret can lead to easy compromise of security, posing a risk of unauthorized access to user data.
Recommendation
It is recommended to update the application to version 0.19.4 or later to ensure proper security for the JWT_SECRET value.
Original NVD description (English source)
Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.

