Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities found for note-mark by enchant97
CVE-2026-40265 (GCVE-0-2026-40265)
Vulnerability from nvd – Published: 2026-04-16 23:56 – Updated: 2026-04-17 18:40
VLAI?
Title
Note Mark has Broken Access Control on Asset Download
Summary
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private. This issue has been fixed in version 0.19.2.
Severity ?
5.9 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40265",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T18:40:35.700177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T18:40:45.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private. This issue has been fixed in version 0.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T23:56:02.961Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-p5w6-75f9-cc2p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-p5w6-75f9-cc2p"
},
{
"name": "https://github.com/enchant97/note-mark/commit/6593898855add151eb9965d96998b05e14c62026",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/commit/6593898855add151eb9965d96998b05e14c62026"
},
{
"name": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2"
}
],
"source": {
"advisory": "GHSA-p5w6-75f9-cc2p",
"discovery": "UNKNOWN"
},
"title": "Note Mark has Broken Access Control on Asset Download"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40265",
"datePublished": "2026-04-16T23:56:02.961Z",
"dateReserved": "2026-04-10T17:31:45.787Z",
"dateUpdated": "2026-04-17T18:40:45.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40263 (GCVE-0-2026-40263)
Vulnerability from nvd – Published: 2026-04-16 23:53 – Updated: 2026-04-17 12:23
VLAI?
Title
Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel
Summary
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2.
Severity ?
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40263",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T12:23:37.345690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T12:23:42.042Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T23:53:50.195Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp"
},
{
"name": "https://github.com/enchant97/note-mark/commit/cf4c6f6acf70b569d80396d323b067c00d45c034",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/commit/cf4c6f6acf70b569d80396d323b067c00d45c034"
}
],
"source": {
"advisory": "GHSA-w6m9-39cv-2fwp",
"discovery": "UNKNOWN"
},
"title": "Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40263",
"datePublished": "2026-04-16T23:53:50.195Z",
"dateReserved": "2026-04-10T17:31:45.787Z",
"dateUpdated": "2026-04-17T12:23:42.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40262 (GCVE-0-2026-40262)
Vulnerability from nvd – Published: 2026-04-16 23:51 – Updated: 2026-04-18 02:51
VLAI?
Title
Note Mark has Stored XSS via Unrestricted Asset Upload
Summary
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application's origin with access to the victim's authenticated session and API actions. This issue has been fixed in version 0.19.2.
Severity ?
8.7 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40262",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-18T02:50:12.436241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T02:51:02.474Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application\u0027s origin with access to the victim\u0027s authenticated session and API actions. This issue has been fixed in version 0.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T23:51:38.679Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh"
},
{
"name": "https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3"
},
{
"name": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2"
}
],
"source": {
"advisory": "GHSA-9pr4-rf97-79qh",
"discovery": "UNKNOWN"
},
"title": "Note Mark has Stored XSS via Unrestricted Asset Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40262",
"datePublished": "2026-04-16T23:51:38.679Z",
"dateReserved": "2026-04-10T17:31:45.787Z",
"dateUpdated": "2026-04-18T02:51:02.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41819 (GCVE-0-2024-41819)
Vulnerability from nvd – Published: 2024-07-29 16:03 – Updated: 2024-08-05 10:22
VLAI?
Title
Note Mark has a stored XSS in the note link href attribute
Summary
Note Mark is a web-based Markdown notes app. A stored cross-site scripting (XSS) vulnerability in Note Mark allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content. This vulnerability is fixed in 0.13.1.
Severity ?
8.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:53.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3"
},
{
"name": "https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:enchant97:note-mark:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"lessThanOrEqual": "0.13.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41819",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T16:50:41.485602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T10:22:35.371Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Note Mark is a web-based Markdown notes app. A stored cross-site scripting (XSS) vulnerability in Note Mark allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content. This vulnerability is fixed in 0.13.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T16:03:34.339Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3"
},
{
"name": "https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182"
}
],
"source": {
"advisory": "GHSA-rm48-9mqf-8jc3",
"discovery": "UNKNOWN"
},
"title": "Note Mark has a stored XSS in the note link href attribute"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41819",
"datePublished": "2024-07-29T16:03:34.339Z",
"dateReserved": "2024-07-22T13:57:37.137Z",
"dateUpdated": "2024-08-05T10:22:35.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-40265 (GCVE-0-2026-40265)
Vulnerability from cvelistv5 – Published: 2026-04-16 23:56 – Updated: 2026-04-17 18:40
VLAI?
Title
Note Mark has Broken Access Control on Asset Download
Summary
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private. This issue has been fixed in version 0.19.2.
Severity ?
5.9 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40265",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T18:40:35.700177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T18:40:45.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private. This issue has been fixed in version 0.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T23:56:02.961Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-p5w6-75f9-cc2p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-p5w6-75f9-cc2p"
},
{
"name": "https://github.com/enchant97/note-mark/commit/6593898855add151eb9965d96998b05e14c62026",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/commit/6593898855add151eb9965d96998b05e14c62026"
},
{
"name": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2"
}
],
"source": {
"advisory": "GHSA-p5w6-75f9-cc2p",
"discovery": "UNKNOWN"
},
"title": "Note Mark has Broken Access Control on Asset Download"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40265",
"datePublished": "2026-04-16T23:56:02.961Z",
"dateReserved": "2026-04-10T17:31:45.787Z",
"dateUpdated": "2026-04-17T18:40:45.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40263 (GCVE-0-2026-40263)
Vulnerability from cvelistv5 – Published: 2026-04-16 23:53 – Updated: 2026-04-17 12:23
VLAI?
Title
Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel
Summary
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2.
Severity ?
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40263",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T12:23:37.345690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T12:23:42.042Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T23:53:50.195Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp"
},
{
"name": "https://github.com/enchant97/note-mark/commit/cf4c6f6acf70b569d80396d323b067c00d45c034",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/commit/cf4c6f6acf70b569d80396d323b067c00d45c034"
}
],
"source": {
"advisory": "GHSA-w6m9-39cv-2fwp",
"discovery": "UNKNOWN"
},
"title": "Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40263",
"datePublished": "2026-04-16T23:53:50.195Z",
"dateReserved": "2026-04-10T17:31:45.787Z",
"dateUpdated": "2026-04-17T12:23:42.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40262 (GCVE-0-2026-40262)
Vulnerability from cvelistv5 – Published: 2026-04-16 23:51 – Updated: 2026-04-18 02:51
VLAI?
Title
Note Mark has Stored XSS via Unrestricted Asset Upload
Summary
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application's origin with access to the victim's authenticated session and API actions. This issue has been fixed in version 0.19.2.
Severity ?
8.7 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40262",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-18T02:50:12.436241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T02:51:02.474Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application\u0027s origin with access to the victim\u0027s authenticated session and API actions. This issue has been fixed in version 0.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T23:51:38.679Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh"
},
{
"name": "https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3"
},
{
"name": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.2"
}
],
"source": {
"advisory": "GHSA-9pr4-rf97-79qh",
"discovery": "UNKNOWN"
},
"title": "Note Mark has Stored XSS via Unrestricted Asset Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40262",
"datePublished": "2026-04-16T23:51:38.679Z",
"dateReserved": "2026-04-10T17:31:45.787Z",
"dateUpdated": "2026-04-18T02:51:02.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41819 (GCVE-0-2024-41819)
Vulnerability from cvelistv5 – Published: 2024-07-29 16:03 – Updated: 2024-08-05 10:22
VLAI?
Title
Note Mark has a stored XSS in the note link href attribute
Summary
Note Mark is a web-based Markdown notes app. A stored cross-site scripting (XSS) vulnerability in Note Mark allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content. This vulnerability is fixed in 0.13.1.
Severity ?
8.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:53.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3"
},
{
"name": "https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:enchant97:note-mark:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"lessThanOrEqual": "0.13.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41819",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T16:50:41.485602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T10:22:35.371Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "note-mark",
"vendor": "enchant97",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Note Mark is a web-based Markdown notes app. A stored cross-site scripting (XSS) vulnerability in Note Mark allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content. This vulnerability is fixed in 0.13.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T16:03:34.339Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3"
},
{
"name": "https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182"
}
],
"source": {
"advisory": "GHSA-rm48-9mqf-8jc3",
"discovery": "UNKNOWN"
},
"title": "Note Mark has a stored XSS in the note link href attribute"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41819",
"datePublished": "2024-07-29T16:03:34.339Z",
"dateReserved": "2024-07-22T13:57:37.137Z",
"dateUpdated": "2024-08-05T10:22:35.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}