CVE-2026-40262 (GCVE-0-2026-40262)

Vulnerability from cvelistv5 – Published: 2026-04-16 23:51 – Updated: 2026-04-16 23:51
VLAI?
Title
Note Mark has Stored XSS via Unrestricted Asset Upload
Summary
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application's origin with access to the victim's authenticated session and API actions. This issue has been fixed in version 0.19.2.
Severity ?
8.7 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
Vendor Product Version
enchant97 note-mark Affected: < 0.19.2
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "note-mark",
          "vendor": "enchant97",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.19.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application\u0027s origin with access to the victim\u0027s authenticated session and API actions. This issue has been fixed in version 0.19.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-16T23:51:38.679Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh"
        },
        {
          "name": "https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3"
        },
        {
          "name": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2"
        }
      ],
      "source": {
        "advisory": "GHSA-9pr4-rf97-79qh",
        "discovery": "UNKNOWN"
      },
      "title": "Note Mark has Stored XSS via Unrestricted Asset Upload"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40262",
    "datePublished": "2026-04-16T23:51:38.679Z",
    "dateReserved": "2026-04-10T17:31:45.787Z",
    "dateUpdated": "2026-04-16T23:51:38.679Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40262",
      "date": "2026-04-17",
      "epss": "0.00031",
      "percentile": "0.08601"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40262\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-17T01:17:39.950\",\"lastModified\":\"2026-04-17T15:29:25.583\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application\u0027s origin with access to the victim\u0027s authenticated session and API actions. This issue has been fixed in version 0.19.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"references\":[{\"url\":\"https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/enchant97/note-mark/releases/tag/v0.19.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.