CVE-2026-40262
Received Received - Intake
Stored XSS via Insecure Asset Handling in Note Mark

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application's origin with access to the victim's authenticated session and API actions. This issue has been fixed in version 0.19.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40262
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mark note_mark to 0.19.2 (exc)
mark note_mark 0.19.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Note Mark, an open-source note-taking application, in versions 0.19.1 and earlier. The issue arises because the asset delivery handler serves uploaded files inline and relies on magic-byte detection to determine content type. However, this detection method fails to identify certain text-based formats like HTML, SVG, or XHTML. As a result, these files are served with an empty Content-Type header, no X-Content-Type-Options: nosniff header, and with inline disposition.

An authenticated user can exploit this by uploading an HTML or SVG file containing malicious JavaScript as a note asset. When another user visits the URL of this asset, the browser may sniff and render the active content, causing the script to execute within the application's origin. This allows the script to access the victim's authenticated session and perform API actions on their behalf.

This vulnerability was fixed in version 0.19.2 of Note Mark.

Impact Analysis

This vulnerability can have serious security impacts. Because an attacker can upload malicious HTML or SVG files containing JavaScript, they can execute scripts in the context of the application when a victim accesses the asset URL.

  • The attacker can hijack the victim's authenticated session.
  • The attacker can perform API actions with the victim's privileges.
  • This can lead to unauthorized access, data theft, or manipulation within the application.
  • Because the vulnerability involves cross-site scripting (XSS), it can compromise user trust and application integrity.
Mitigation Strategies

To mitigate this vulnerability, upgrade Note Mark to version 0.19.2 or later, where the issue has been fixed.

Until the upgrade is applied, restrict authenticated users from uploading HTML, SVG, or other text-based files that can contain active content.

Additionally, consider implementing web server or application-level controls to enforce proper Content-Type headers and use the X-Content-Type-Options: nosniff header to prevent browsers from sniffing and executing active content.

Compliance Impact

This vulnerability allows an authenticated user to upload malicious HTML or SVG files containing JavaScript, which can then execute in the context of the application and access the victim's authenticated session and API actions. Such unauthorized access and potential data exposure could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure handling of user data.

Because the vulnerability enables cross-site scripting (XSS) attacks that compromise session integrity and data confidentiality, affected organizations may face compliance risks related to inadequate security controls and failure to protect user data as mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40262. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart