3 matches found
CVE-2026-40262 Note Mark has Stored XSS via Unrestricted Asset Upload
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an...
PT-2026-32120
Name of the Vulnerable Software and Affected Versions Note Mark versions prior to 0.19.2 Description A broken access control issue exists in the asset download endpoint '/api/notes/noteID/assets/assetID'. The endpoint is registered without authentication middleware, and the backend query fails to...
PT-2026-32118
Name of the Vulnerable Software and Affected Versions Note Mark versions prior to 0.19.2 Description A stored same-origin cross-site scripting XSS issue exists where the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type. This method fails to...