Note Mark stored XSS via file upload (CVE-2026-40262)

Overview

A high-severity stored cross-site scripting (XSS) vulnerability, tracked as CVE-2026-40262, has been patched in the open-source note-taking application Note Mark. The flaw affects versions 0.19.1 and prior, allowing an authenticated attacker to execute arbitrary JavaScript in the context of another user’s session.

Vulnerability Details

The vulnerability resides in the application’s asset delivery handler. When a user uploads a file as a note asset, the server attempts to determine the file’s content type using “magic byte” detection. This method fails to properly identify text-based formats like HTML, SVG, or XHTML. Consequently, these files are served with an empty Content-Type header and without the critical security header X-Content-Type-Options: nosniff. The browser is then forced to “sniff” the content and may render active elements.

An authenticated user can exploit this by uploading a malicious HTML or SVG file containing JavaScript. When another user (the victim) navigates to the URL for this uploaded asset, the embedded script executes. This occurs under the application’s origin, granting the script full access to the victim’s authenticated session, including their cookies and the ability to perform actions via the application’s API.

Impact

Successful exploitation leads to a complete compromise of the victim’s account within the Note Mark application. An attacker can perform any action the victim is authorized to do, such as reading, modifying, or deleting all notes and files. This could lead to significant data breaches or serve as a stepping stone for further attacks within an organization’s network. The requirement for the attacker to have a low-privilege authenticated account increases the risk in multi-user environments.

Remediation and Mitigation

The issue is fixed in Note Mark version 0.19.2. All users and administrators must upgrade to this version immediately. There is no effective workaround; patching is the only complete solution. Until the update can be applied, administrators should review and audit user-uploaded assets for suspicious files and consider restricting upload permissions if feasible.

For organizations investigating potential incidents, reviewing access logs for requests to /assets/ endpoints may reveal exploitation attempts. General guidance on responding to data breaches is available in our breach reports.

Security Insight

This vulnerability highlights the persistent risk of improper content-type handling in web applications. Relying solely on file signature detection while omitting the nosniff header is a classic misconfiguration that has led to similar XSS issues in other software. It serves as a reminder that even simple file upload features require a robust security chain, including strict content-type declaration, context-aware sanitization, and defensive HTTP headers to prevent client-side misinterpretation. For the latest on such vulnerabilities, follow our security news.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs