Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Note Mark allows attackers to inject malicious code into notes
GHSA-9pr4-rf97-79qh
CVE-2026-40262
Summary
A security issue allows attackers to upload and execute malicious code in Note Mark notes. This means that if you use Note Mark, you could be at risk of having your account taken over. To stay safe, check your uploaded files carefully and make sure they don't contain any code that could harm your account.
What to do
- Update github.com enchant97 to version 0.0.0-20260411145018-6bb62842ccb9.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| go | github.com | enchant97 |
< 0.0.0-20260411145018-6bb62842ccb9 Fix: upgrade to 0.0.0-20260411145018-6bb62842ccb9
|
Original title
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which...
Original description
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application's origin with access to the victim's authenticated session and API actions. This issue has been fixed in version 0.19.2.
ghsa CVSS3.1
8.7
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
CWE-434
Unrestricted File Upload
Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 13 Apr 2026