0.19.3
0.0.0-20260411145018-6bb62842ccb9
CVE-2026-40262 describes a stored, same-origin Cross-Site Scripting (XSS) vulnerability discovered in Note Mark. This flaw allows authenticated users to upload malicious HTML, SVG, or XHTML files as note assets, which are then executed in the browsers of other users. The vulnerability impacts Note Mark versions 0.19.0 through 0.19.2 and has been resolved in version 0.19.2.
An attacker can exploit this vulnerability by crafting a malicious HTML, SVG, or XHTML file and uploading it as a note asset. When a victim views this note, the attacker's code will execute within the context of the Note Mark application, giving the attacker access to authenticated API actions as the victim. This could allow an attacker to steal sensitive data, modify application state, or perform other actions on behalf of the victim. The impact is particularly severe because the vulnerability is same-origin, meaning the attacker can execute code within the same domain as the application, potentially bypassing some security restrictions.
CVE-2026-40262 was publicly disclosed on 2026-04-16. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the potential impact, suggests a medium probability of exploitation.
Organizations using Note Mark for internal collaboration or knowledge management are at risk, particularly those relying on older versions (0.19.0 - 0.19.2). Shared hosting environments where multiple users have access to the Note Mark instance are also at increased risk, as a compromised user could potentially exploit the vulnerability to affect other users.
• linux / server: Monitor Note Mark application logs for file uploads with suspicious content types (e.g., text/html, image/svg+xml) or unusual filenames. Use grep to search for patterns indicative of XSS payloads within uploaded files.
grep -r '<script' /var/log/notemark/upload.log• generic web: Examine Note Mark's access logs for requests to asset endpoints with unusual parameters or user agents. Use curl to test asset endpoints with potentially malicious payloads.
curl -X POST -d '<script>alert("XSS")</script>' http://your-notemark-instance/assets/uploaddisclosure
漏洞利用状态
EPSS
0.01% (1% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-40262 is to upgrade Note Mark to version 0.19.2 or later, which contains the fix. If upgrading immediately is not possible, consider implementing stricter content type validation and sanitization on uploaded files. While not a complete solution, enabling Content Security Policy (CSP) with appropriate directives can help reduce the attack surface by restricting the sources from which scripts can be executed. Monitor Note Mark logs for suspicious file uploads or unusual API activity.
Actualice a la versión 0.19.2 o posterior para mitigar la vulnerabilidad de XSS. Esta versión corrige el problema al implementar una validación adecuada del tipo de contenido para los archivos cargados y evitar la ejecución de scripts maliciosos.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-40262 is a stored XSS vulnerability in Note Mark versions 0.19.0 through 0.19.2, allowing authenticated users to execute malicious code in other users' browsers.
You are affected if you are using Note Mark versions 0.19.0, 0.19.1, or 0.19.2. Upgrade to version 0.19.2 or later to resolve the vulnerability.
Upgrade Note Mark to version 0.19.2 or later. Consider implementing stricter content type validation and CSP as temporary mitigations.
While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation, and it's recommended to apply the fix promptly.
Refer to the Note Mark security advisory for detailed information and updates: [Replace with actual advisory URL when available]
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 go.mod 文件,立即知道是否受影响。