CVE-2026-40262: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in enchant97 note-mark
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application's origin with access to the victim's authenticated session and API actions. This issue has been fixed in version 0.19.2.
AI Analysis
Technical Summary
CVE-2026-40262 is a high-severity cross-site scripting vulnerability in the open-source note-taking application Note Mark (enchant97 project). In versions prior to 0.19.2, the asset delivery handler serves uploaded files inline relying on magic-byte detection, which fails to identify text-based formats like HTML or SVG. These files are served with an empty Content-Type header and without the X-Content-Type-Options: nosniff header, enabling browsers to sniff and execute active content. An authenticated attacker can upload malicious HTML or SVG files containing JavaScript, which executes when a victim accesses the asset URL, compromising the victim's authenticated session and API access. The issue is resolved in version 0.19.2.
Potential Impact
Successful exploitation allows an authenticated attacker to execute arbitrary JavaScript in the context of a victim user's session. This can lead to session hijacking and unauthorized API actions under the victim's privileges. The vulnerability does not affect availability but impacts confidentiality and integrity of user sessions and data.
Mitigation Recommendations
Upgrade Note Mark to version 0.19.2 or later, where this vulnerability is fixed. The fix addresses proper content-type handling and adds the X-Content-Type-Options: nosniff header to prevent browsers from executing malicious content. No other mitigation is indicated by the vendor advisory.
CVE-2026-40262: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in enchant97 note-mark
Description
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application's origin with access to the victim's authenticated session and API actions. This issue has been fixed in version 0.19.2.
CVSS v3.1
Score 8.7high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40262 is a high-severity cross-site scripting vulnerability in the open-source note-taking application Note Mark (enchant97 project). In versions prior to 0.19.2, the asset delivery handler serves uploaded files inline relying on magic-byte detection, which fails to identify text-based formats like HTML or SVG. These files are served with an empty Content-Type header and without the X-Content-Type-Options: nosniff header, enabling browsers to sniff and execute active content. An authenticated attacker can upload malicious HTML or SVG files containing JavaScript, which executes when a victim accesses the asset URL, compromising the victim's authenticated session and API access. The issue is resolved in version 0.19.2.
Potential Impact
Successful exploitation allows an authenticated attacker to execute arbitrary JavaScript in the context of a victim user's session. This can lead to session hijacking and unauthorized API actions under the victim's privileges. The vulnerability does not affect availability but impacts confidentiality and integrity of user sessions and data.
Mitigation Recommendations
Upgrade Note Mark to version 0.19.2 or later, where this vulnerability is fixed. The fix addresses proper content-type handling and adds the X-Content-Type-Options: nosniff header to prevent browsers from executing malicious content. No other mitigation is indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T17:31:45.787Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e1786e82d89c981fe335c0
Added to database: 4/17/2026, 12:01:50 AM
Last enriched: 4/24/2026, 4:12:47 PM
Last updated: 6/1/2026, 10:35:15 PM
Views: 99
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.