CVE-2026-40262
Published: 17 April 2026
Summary
CVE-2026-40262 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-40262 affects Note Mark, an open-source note-taking application, in versions 0.19.1 and prior. The vulnerability resides in the asset delivery handler, which serves uploaded files inline and determines content types via magic-byte detection. This method fails to identify text-based formats like HTML, SVG, or XHTML, resulting in these files being delivered with an empty Content-Type header, no X-Content-Type-Options: nosniff header, and an inline disposition. Browsers can thus perform content sniffing and render active content within these files. The issue is rated at CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) and maps to CWE-79 (Cross-site Scripting) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
An authenticated user with low privileges can exploit this by uploading an HTML or SVG file containing JavaScript as a note asset. When another user (the victim) navigates to the direct asset URL—potentially via a shared link or note reference—the malicious script executes in the browser under the Note Mark application's origin. This grants the script access to the victim's authenticated session cookies and the ability to perform API actions on their behalf, enabling high confidentiality and integrity impacts such as data theft, account takeover, or unauthorized modifications. Exploitation requires user interaction from the victim but is otherwise low complexity over the network with a changed scope.
The vulnerability has been addressed in Note Mark version 0.19.2. The GitHub security advisory (GHSA-9pr4-rf97-79qh), release notes for v0.19.2, and the fixing commit (6bb62842ccb956870b9bf183629eba95e326e5e3) detail the patch, which security practitioners should review for implementation specifics and apply by upgrading affected instances.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23332
Vulnerability details
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML.…
more
These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application's origin with access to the victim's authenticated session and API actions. This issue has been fixed in version 0.19.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows an authenticated attacker to upload HTML/SVG files containing JavaScript that are served without proper Content-Type or nosniff headers, directly enabling client-side JavaScript execution in the victim's browser (T1059.007). This also facilitates stealing session cookies and performing unauthorized API actions, mapping to browser session hijacking (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces comprehensive validation of uploaded note assets to detect and reject dangerous text-based formats like HTML or SVG containing JavaScript, preventing exploitation.
Requires secure configuration of the asset delivery handler to set proper Content-Type, include X-Content-Type-Options: nosniff, and use non-inline disposition, blocking browser content sniffing and execution.
Deploys malicious code protection mechanisms to scan uploaded files for executable JavaScript in HTML/SVG assets at entry points, preventing and detecting XSS payloads.