CVE-2026-40265Medium
ANC
ANC
Anchore Vulnerability Database overrides
Supplementary feed layered on top of upstream sources. Anchore maintainers publish override records to suppress known false positives and fill CPE/PURL gaps that would otherwise cause Grype and similar scanners to mis-report a system.
Region
US
Updates
6 ч
License
Apache-2.0
Curated corrections to the Anchore/Grype vulnerability database: false-positive suppressions, missing CPE mappings and distro-specific backport fixes.
https://github.com/anchore/grype-db →Share link
Anyone with the link can open this vulnerability.
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/asset…
CVSS
5.9
Medium
EPSS
0.00
p32
Published
2026-01-01
Updated
2026-01-01
Description
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private. This issue has been fixed in version 0.19.2.
Tags · CWE
Pre-auth
CWE-862
CWE-862ClassIncomplete
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://cwe.mitre.org/data/definitions/862.html →Open in CWE collection →CAPEC-665
CAPEC-665DetailedStable
Exploitation of Thunderbolt Protection Flaws
https://capec.mitre.org/data/definitions/665.html →Open in CAPEC collection →
Affected products
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Timeline
2026-01-01
Published
2026-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: H
High (H)
Privileges Required
PR: N
None (N)
User Interaction
UI: N
None (N)
Scope
S: U
Unchanged (U)
Confidentiality Impact
C: H
High (H)
Integrity Impact
I: N
None (N)
Availability Impact
A: N
None (N)
Exploit indicators
EPSS
0.004 · p32
Known exploited (KEV)
No
MITRE ATT&CK
Inferred via CAPEC
└ via CAPEC-665 · CWE-862
└ via CAPEC-665 · CWE-862
└ via CAPEC-665 · CWE-862
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Source databases
ANC
ANC
Anchore Vulnerability Database overrides
Supplementary feed layered on top of upstream sources. Anchore maintainers publish override records to suppress known false positives and fill CPE/PURL gaps that would otherwise cause Grype and similar scanners to mis-report a system.
Region
US
Updates
6 ч
License
Apache-2.0
Curated corrections to the Anchore/Grype vulnerability database: false-positive suppressions, missing CPE mappings and distro-specific backport fixes.
https://github.com/anchore/grype-db →