note-mark

Productivity & Wikis

Note Mark is a lighting fast, web-based Markdown notes app.

Track releases GitHub Website

TypeScript Latest v0.19.5 · 2d ago Security brief →

Features

GitHub Flavored Markdown support
HTML sanitisation for XSS protection
Mobile‑friendly responsive UI with dark and light themes

Recent releases

View all 6 releases →

Review required

v0.19.5 Security relevant 2d

GHSA fixes

Open

v0.19.4 Breaking risk 1mo

Breaking changes

Minimum required `JWT_SECRET` length increased to 32 characters

Security fixes

GHSA-j88v-2chj-qfwx
GHSA-q6mh-rqwh-g786
GHSA-g49p-4qxj-88v3

Full changelog

⛔ Security Fixes ⛔

security vulnerability GHSA-j88v-2chj-qfwx
security vulnerability GHSA-q6mh-rqwh-g786
security vulnerability GHSA-g49p-4qxj-88v3

Due to one of these security fixes, there is a now a minimum required JWT_SECRET length of 32. Note Mark will not start until this is met.

Thanks to @rvizx and @osageling for their reports.

Announcement

Note Mark V1 is almost ready for release! Just final testing and documentation is needed.

Changes

Fixed

security vulnerability GHSA-j88v-2chj-qfwx
security vulnerability GHSA-q6mh-rqwh-g786
security vulnerability GHSA-g49p-4qxj-88v3

Full Changelog: https://github.com/enchant97/note-mark/compare/v0.19.3...v0.19.4

View release on GitHub

v0.19.3 Security relevant 1mo

Security fixes

GHSA-3gr9-485j-v4xf
GHSA-pxf8-6wqm-r6hh
GHSA-39q2-94rc-95cp (dependency)

Full changelog

⛔ Security Fixes ⛔

A critical security vulnerability has been discovered, added in version 0.19.2. They will be published when a CVE has been added.

Thanks to @adrgs for reporting these

Changes

Fixed

security vulnerability GHSA-3gr9-485j-v4xf
security vulnerability GHSA-pxf8-6wqm-r6hh
security vulnerability GHSA-39q2-94rc-95cp (dependency)

Full Changelog: https://github.com/enchant97/note-mark/compare/v0.19.2...v0.19.3

View release on GitHub

v0.19.2 Security relevant 1mo

Security fixes

Stored XSS via unrestricted asset upload (CVE-2026-40262)
Broken access control on asset download (CVE-2026-40265)
Username enumeration via login endpoint (CVE-2026-40263)

View release on GitHub

v0.19.1 Security relevant 2mo

Security fixes

CVE-2026-0540 - Cross-site Scripting in DOMPurify (GHSA-v2wj-7wpq-c8vv)

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Releases

View all →

Releases per month

Cadence 0.4 / wk

Last release 2d

Churn +1416 / −1447 lines · 9 files · 8 commits

Tracked 6

Security

Full profile →

Security score 3.8/10

OpenSSF —

Open CVEs 0

SECURITY.md Active maintainer

Community

GitHub stars 669

Forks 21

Open issues 11

Open PRs 0

Stars/wk velocity 0.0

About

Stars

669

Forks

Languages

TypeScript Go Dockerfile

View on GitHub Homepage Documentation

Community & Support

Sponsor / Fund

Similar tools

many-notes

memos

Plainpad

flatnotes

nanote

About

Stars

669

Forks

Languages

TypeScript Go Dockerfile

View on GitHub Homepage Documentation

Community & Support

Sponsor / Fund

Similar tools

many-notes

memos

Plainpad

flatnotes

nanote