5 matches found
CVE-2026-40262
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an...
CVE-2026-40262
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an...
CVE-2026-40262 Note Mark has Stored XSS via Unrestricted Asset Upload
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an...
CVE-2026-40262
In PT-Alert PT-2026-32118 (CVE-2026-40262) for Note Mark, a Stored XSS via Unrestricted Asset Upload is disclosed and fixed in version 0.19.2; all earlier versions are affected. Upgrade to 0.19.2 to mitigate. Other notes in the same disclosure reference related issues (CVE-2026-40263, CVE-2026-40...
GHSA-9PR4-RF97-79QH Note Mark has Stored XSS via Unrestricted Asset Upload
Summary A stored same-origin XSS vulnerability allows any authenticated user to upload an HTML, SVG, or XHTML file as a note asset and have it executed in a victim’s browser under the application’s origin. Because the application serves these files inline without a safe content type and without...