CVE-2026-40262 (GCVE-0-2026-40262)
Vulnerability from cvelistv5
Published
2026-04-16 23:51
Modified
2026-04-18 02:51
Severity ?
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application's origin with access to the victim's authenticated session and API actions. This issue has been fixed in version 0.19.2.
References
Impacted products
Vendor Product Version
enchant97 note-mark Version: < 0.19.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40262",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-18T02:50:12.436241Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-18T02:51:02.474Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "note-mark",
          "vendor": "enchant97",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.19.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application\u0027s origin with access to the victim\u0027s authenticated session and API actions. This issue has been fixed in version 0.19.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-16T23:51:38.679Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh"
        },
        {
          "name": "https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3"
        },
        {
          "name": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2"
        }
      ],
      "source": {
        "advisory": "GHSA-9pr4-rf97-79qh",
        "discovery": "UNKNOWN"
      },
      "title": "Note Mark has Stored XSS via Unrestricted Asset Upload"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40262",
    "datePublished": "2026-04-16T23:51:38.679Z",
    "dateReserved": "2026-04-10T17:31:45.787Z",
    "dateUpdated": "2026-04-18T02:51:02.474Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40262\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-18T02:50:12.436241Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-18T02:50:58.266Z\"}}], \"cna\": {\"title\": \"Note Mark has Stored XSS via Unrestricted Asset Upload\", \"source\": {\"advisory\": \"GHSA-9pr4-rf97-79qh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"enchant97\", \"product\": \"note-mark\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.19.2\"}]}], \"references\": [{\"url\": \"https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh\", \"name\": \"https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3\", \"name\": \"https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/enchant97/note-mark/releases/tag/v0.19.2\", \"name\": \"https://github.com/enchant97/note-mark/releases/tag/v0.19.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application\u0027s origin with access to the victim\u0027s authenticated session and API actions. This issue has been fixed in version 0.19.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434: Unrestricted Upload of File with Dangerous Type\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-16T23:51:38.679Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40262\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-18T02:51:02.474Z\", \"dateReserved\": \"2026-04-10T17:31:45.787Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-16T23:51:38.679Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.