CVE-2026-40262: Note Mark has Stored XSS via Unrestricted Asset Upload
(updated )
A stored same-origin XSS vulnerability allows any authenticated user to upload an HTML, SVG, or XHTML file as a note asset and have it executed in a victim’s browser under the application’s origin. Because the application serves these files inline without a safe content type and without nosniff, browsers can sniff and render active content, giving the attacker access to authenticated Note Mark API actions as the victim.
References
- github.com/advisories/GHSA-9pr4-rf97-79qh
- github.com/enchant97/note-mark
- github.com/enchant97/note-mark/commit/6bb62842ccb956870b9bf183629eba95e326e5e3
- github.com/enchant97/note-mark/releases/tag/v0.19.2
- github.com/enchant97/note-mark/security/advisories/GHSA-9pr4-rf97-79qh
- nvd.nist.gov/vuln/detail/CVE-2026-40262
Code Behaviors & Features
Detect and mitigate CVE-2026-40262 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →