Refine your search
4 vulnerabilities found for note-mark by enchant97
CVE-2026-40265 (GCVE-0-2026-40265)
Vulnerability from cvelistv5
Published
2026-04-16 23:56
Modified
2026-04-17 18:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private. This issue has been fixed in version 0.19.2.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40265",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T18:40:35.700177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T18:40:45.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private. This issue has been fixed in version 0.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T23:56:02.961Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-p5w6-75f9-cc2p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-p5w6-75f9-cc2p"
},
{
"name": "https://github.com/enchant97/note-mark/commit/6593898855add151eb9965d96998b05e14c62026",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/commit/6593898855add151eb9965d96998b05e14c62026"
},
{
"name": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2"
}
],
"source": {
"advisory": "GHSA-p5w6-75f9-cc2p",
"discovery": "UNKNOWN"
},
"title": "Note Mark has Broken Access Control on Asset Download"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40265",
"datePublished": "2026-04-16T23:56:02.961Z",
"dateReserved": "2026-04-10T17:31:45.787Z",
"dateUpdated": "2026-04-17T18:40:45.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40263 (GCVE-0-2026-40263)
Vulnerability from cvelistv5
Published
2026-04-16 23:53
Modified
2026-04-17 12:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-208 - Observable Timing Discrepancy
Summary
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2.
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40263",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T12:23:37.345690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T12:23:42.042Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T23:53:50.195Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp"
},
{
"name": "https://github.com/enchant97/note-mark/commit/cf4c6f6acf70b569d80396d323b067c00d45c034",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/commit/cf4c6f6acf70b569d80396d323b067c00d45c034"
}
],
"source": {
"advisory": "GHSA-w6m9-39cv-2fwp",
"discovery": "UNKNOWN"
},
"title": "Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40263",
"datePublished": "2026-04-16T23:53:50.195Z",
"dateReserved": "2026-04-10T17:31:45.787Z",
"dateUpdated": "2026-04-17T12:23:42.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40262 (GCVE-0-2026-40262)
Vulnerability from cvelistv5
Published
2026-04-16 23:51
Modified
2026-04-18 02:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application's origin with access to the victim's authenticated session and API actions. This issue has been fixed in version 0.19.2.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40262",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-18T02:50:12.436241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T02:51:02.474Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application\u0027s origin with access to the victim\u0027s authenticated session and API actions. This issue has been fixed in version 0.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T23:51:38.679Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh"
},
{
"name": "https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3"
},
{
"name": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2"
}
],
"source": {
"advisory": "GHSA-9pr4-rf97-79qh",
"discovery": "UNKNOWN"
},
"title": "Note Mark has Stored XSS via Unrestricted Asset Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40262",
"datePublished": "2026-04-16T23:51:38.679Z",
"dateReserved": "2026-04-10T17:31:45.787Z",
"dateUpdated": "2026-04-18T02:51:02.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41819 (GCVE-0-2024-41819)
Vulnerability from cvelistv5
Published
2024-07-29 16:03
Modified
2024-08-05 10:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Note Mark is a web-based Markdown notes app. A stored cross-site scripting (XSS) vulnerability in Note Mark allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content. This vulnerability is fixed in 0.13.1.
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:53.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3"
},
{
"name": "https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:enchant97:note-mark:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"lessThanOrEqual": "0.13.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41819",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T16:50:41.485602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T10:22:35.371Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Note Mark is a web-based Markdown notes app. A stored cross-site scripting (XSS) vulnerability in Note Mark allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content. This vulnerability is fixed in 0.13.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T16:03:34.339Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3"
},
{
"name": "https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182"
}
],
"source": {
"advisory": "GHSA-rm48-9mqf-8jc3",
"discovery": "UNKNOWN"
},
"title": "Note Mark has a stored XSS in the note link href attribute"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41819",
"datePublished": "2024-07-29T16:03:34.339Z",
"dateReserved": "2024-07-22T13:57:37.137Z",
"dateUpdated": "2024-08-05T10:22:35.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}