CVE-2026-40262

Name of the Vulnerable Software and Affected Versions Note Mark versions prior to 0.19.2

Description A stored same-origin cross-site scripting (XSS) issue exists where the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type. This method fails to identify text-based formats such as HTML, SVG, or XHTML, resulting in files being served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition. Consequently, browsers may sniff and render active content. An authenticated user can upload a malicious HTML or SVG file containing JavaScript as a note asset via the endpoint '/api/notes/{noteID}/assets/{assetID}'. When a victim navigates to the asset URL, the script executes under the application origin, granting access to the victim's authenticated session and API actions.

Recommendations Update to version 0.19.2.