0.19.3
0.0.0-20260411145018-6bb62842ccb9
CVE-2026-40262 describes a stored, same-origin Cross-Site Scripting (XSS) vulnerability discovered in Note Mark. This flaw allows authenticated users to upload malicious HTML, SVG, or XHTML files as note assets, which are then executed in the browsers of other users. The vulnerability impacts Note Mark versions 0.19.0 through 0.19.2 and has been resolved in version 0.19.2.
An attacker can exploit this vulnerability by crafting a malicious HTML, SVG, or XHTML file and uploading it as a note asset. When a victim views this note, the attacker's code will execute within the context of the Note Mark application, giving the attacker access to authenticated API actions as the victim. This could allow an attacker to steal sensitive data, modify application state, or perform other actions on behalf of the victim. The impact is particularly severe because the vulnerability is same-origin, meaning the attacker can execute code within the same domain as the application, potentially bypassing some security restrictions.
CVE-2026-40262 was publicly disclosed on 2026-04-16. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the potential impact, suggests a medium probability of exploitation.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40262 is to upgrade Note Mark to version 0.19.2 or later, which contains the fix. If upgrading immediately is not possible, consider implementing stricter content type validation and sanitization on uploaded files. While not a complete solution, enabling Content Security Policy (CSP) with appropriate directives can help reduce the attack surface by restricting the sources from which scripts can be executed. Monitor Note Mark logs for suspicious file uploads or unusual API activity.
Actualice a la versión 0.19.2 o posterior para mitigar la vulnerabilidad de XSS. Esta versión corrige el problema al implementar una validación adecuada del tipo de contenido para los archivos cargados y evitar la ejecución de scripts maliciosos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40262 is a stored XSS vulnerability in Note Mark versions 0.19.0 through 0.19.2, allowing authenticated users to execute malicious code in other users' browsers.
You are affected if you are using Note Mark versions 0.19.0, 0.19.1, or 0.19.2. Upgrade to version 0.19.2 or later to resolve the vulnerability.
Upgrade Note Mark to version 0.19.2 or later. Consider implementing stricter content type validation and CSP as temporary mitigations.
While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation, and it's recommended to apply the fix promptly.
Refer to the Note Mark security advisory for detailed information and updates: [Replace with actual advisory URL when available]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.