Scan free
HIGHCVE-2026-40262CVSS 8.7

CVE-2026-40262: XSS in Note Mark

Platform

go

Component

note-mark

Fixed in

0.19.3

0.0.0-20260411145018-6bb62842ccb9

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-40262 describes a stored, same-origin Cross-Site Scripting (XSS) vulnerability discovered in Note Mark. This flaw allows authenticated users to upload malicious HTML, SVG, or XHTML files as note assets, which are then executed in the browsers of other users. The vulnerability impacts Note Mark versions 0.19.0 through 0.19.2 and has been resolved in version 0.19.2.

Go

Detect this CVE in your project

Upload your go.mod file and we'll tell you instantly if you're affected.

Upload go.mod

Impact and Attack Scenarios

An attacker can exploit this vulnerability by crafting a malicious HTML, SVG, or XHTML file and uploading it as a note asset. When a victim views this note, the attacker's code will execute within the context of the Note Mark application, giving the attacker access to authenticated API actions as the victim. This could allow an attacker to steal sensitive data, modify application state, or perform other actions on behalf of the victim. The impact is particularly severe because the vulnerability is same-origin, meaning the attacker can execute code within the same domain as the application, potentially bypassing some security restrictions.

Exploitation Context

CVE-2026-40262 was publicly disclosed on 2026-04-16. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the potential impact, suggests a medium probability of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports2 threat reports

EPSS

0.01% (1% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N8.7HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentnote-mark
Vendorenchant97
Affected rangeFixed in
< 0.19.2 – < 0.19.20.19.3
0.0.0-20260411145018-6bb62842ccb9

Weakness Classification (CWE)

CWE-79CWE-434

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-40262 is to upgrade Note Mark to version 0.19.2 or later, which contains the fix. If upgrading immediately is not possible, consider implementing stricter content type validation and sanitization on uploaded files. While not a complete solution, enabling Content Security Policy (CSP) with appropriate directives can help reduce the attack surface by restricting the sources from which scripts can be executed. Monitor Note Mark logs for suspicious file uploads or unusual API activity.

How to fix

Actualice a la versión 0.19.2 o posterior para mitigar la vulnerabilidad de XSS. Esta versión corrige el problema al implementar una validación adecuada del tipo de contenido para los archivos cargados y evitar la ejecución de scripts maliciosos.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-40262 — XSS in Note Mark?

CVE-2026-40262 is a stored XSS vulnerability in Note Mark versions 0.19.0 through 0.19.2, allowing authenticated users to execute malicious code in other users' browsers.

Am I affected by CVE-2026-40262 in Note Mark?

You are affected if you are using Note Mark versions 0.19.0, 0.19.1, or 0.19.2. Upgrade to version 0.19.2 or later to resolve the vulnerability.

How do I fix CVE-2026-40262 in Note Mark?

Upgrade Note Mark to version 0.19.2 or later. Consider implementing stricter content type validation and CSP as temporary mitigations.

Is CVE-2026-40262 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation, and it's recommended to apply the fix promptly.

Where can I find the official Note Mark advisory for CVE-2026-40262?

Refer to the Note Mark security advisory for detailed information and updates: [Replace with actual advisory URL when available]

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs