{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40262", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T17:31:45.787Z", "datePublished": "2026-04-16T23:51:38.679Z", "dateUpdated": "2026-04-16T23:51:38.679Z"}, "containers": {"cna": {"title": "Note Mark has Stored XSS via Unrestricted Asset Upload", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh"}, {"name": "https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3", "tags": ["x_refsource_MISC"], "url": "https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3"}, {"name": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2"}], "affected": [{"vendor": "enchant97", "product": "note-mark", "versions": [{"version": "< 0.19.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T23:51:38.679Z"}, "descriptions": [{"lang": "en", "value": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application's origin with access to the victim's authenticated session and API actions. This issue has been fixed in version 0.19.2."}], "source": {"advisory": "GHSA-9pr4-rf97-79qh", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application's origin with access to the victim's authenticated session and API actions. This issue has been fixed in version 0.19.2."}], "id": "CVE-2026-40262", "lastModified": "2026-04-17T01:17:39.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T01:17:39.950", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3"}, {"source": "security-advisories@github.com", "url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T02:50:42.951808+00:00", "value": {"mitigation_remediation": ["Upgrade Note Mark to version 0.19.2 or later", "Enforce server\u2011side file\u2011type validation to block or reject HTML, SVG, and XHTML uploads", "Set strict Content\u2011Type headers, enable X\u2011Content\u2011Type\u2011Options: nosniff, and serve assets with an attachment disposition instead of inline"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability is present only in the open\u2011source Note Mark notebook application produced by the CNA enchant97:note\u2011mark. It applies to all releases up to and including 0.19.1. The fix was released in version 0.19.2, which stops serving uploaded files inline and properly validates content types.", "description_and_impact": "Note Mark allows an authenticated user to upload any file as a note asset. In versions 0.19.1 and earlier, the asset delivery handler serves uploaded files inline and relies solely on magic\u2011byte detection to determine MIME type. This approach fails to flag text\u2011based formats such as HTML, SVG, or XHTML, so the files are served with an empty Content\u2011Type header, no X\u2011Content\u2011Type\u2011Options: nosniff header and an inline disposition. Modern browsers therefore sniff and render the content, allowing embedded scripts to execute. An attacker can thus upload a malicious HTML or SVG file containing JavaScript; when a victim visits the asset\u2019s URL, the script runs in the context of the Note Mark application, giving the attacker access to the victim\u2019s authenticated session and the ability to perform API actions on their behalf, effectively compromising confidentiality, integrity, and availability for that user.", "risk_and_exploitability": "The CVSS base score of 8.7 indicates high severity for cross\u2011site scripting. There is no EPSS data available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an authenticated user with upload privileges to place the malicious file and a victim who subsequently opens that asset URL. While upload access is not open to the entire internet, it is typically available to regular users within the application, so an attacker with that capability can easily compromise other users who view the malicious note."}}}}, "created": "2026-04-17T03:00:08.413330+00:00", "updated": "2026-04-17T03:00:08.413361+00:00", "vendors": []}