CVE-2026-40262
Stored XSS via Insecure Asset Handling in Note Mark
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mark | note_mark | to 0.19.2 (exc) |
| mark | note_mark | 0.19.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Note Mark, an open-source note-taking application, in versions 0.19.1 and earlier. The issue arises because the asset delivery handler serves uploaded files inline and relies on magic-byte detection to determine content type. However, this detection method fails to identify certain text-based formats like HTML, SVG, or XHTML. As a result, these files are served with an empty Content-Type header, no X-Content-Type-Options: nosniff header, and with inline disposition.
An authenticated user can exploit this by uploading an HTML or SVG file containing malicious JavaScript as a note asset. When another user visits the URL of this asset, the browser may sniff and render the active content, causing the script to execute within the application's origin. This allows the script to access the victim's authenticated session and perform API actions on their behalf.
This vulnerability was fixed in version 0.19.2 of Note Mark.
How can this vulnerability impact me? :
This vulnerability can have serious security impacts. Because an attacker can upload malicious HTML or SVG files containing JavaScript, they can execute scripts in the context of the application when a victim accesses the asset URL.
- The attacker can hijack the victim's authenticated session.
- The attacker can perform API actions with the victim's privileges.
- This can lead to unauthorized access, data theft, or manipulation within the application.
- Because the vulnerability involves cross-site scripting (XSS), it can compromise user trust and application integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Note Mark to version 0.19.2 or later, where the issue has been fixed.
Until the upgrade is applied, restrict authenticated users from uploading HTML, SVG, or other text-based files that can contain active content.
Additionally, consider implementing web server or application-level controls to enforce proper Content-Type headers and use the X-Content-Type-Options: nosniff header to prevent browsers from sniffing and executing active content.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user to upload malicious HTML or SVG files containing JavaScript, which can then execute in the context of the application and access the victim's authenticated session and API actions. Such unauthorized access and potential data exposure could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure handling of user data.
Because the vulnerability enables cross-site scripting (XSS) attacks that compromise session integrity and data confidentiality, affected organizations may face compliance risks related to inadequate security controls and failure to protect user data as mandated by these standards.