CVE-2026-40262: Note Mark XSS Vulnerability

CVE-2026-40262 Overview

Note Mark is an open-source note-taking application that contains a stored Cross-Site Scripting (XSS) vulnerability in its asset delivery handler. The vulnerability exists because the application serves uploaded files inline and relies on magic-byte detection for content type, which fails to identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type header, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content.

Critical Impact

An authenticated attacker can upload malicious HTML or SVG files containing JavaScript that executes under the application's origin when victims navigate to the asset URL, providing access to authenticated sessions and API actions.

Affected Products

• Note Mark versions 0.19.1 and prior

Discovery Timeline

• 2026-04-17 - CVE CVE-2026-40262 published to NVD
• 2026-04-17 - Last updated in NVD database

Technical Details for CVE-2026-40262

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The core issue lies in the asset delivery handler's content-type detection mechanism, which uses magic-byte detection to identify file types. This approach works well for binary formats but fails to properly identify text-based formats like HTML, SVG, and XHTML.

When a file with an unrecognized or empty MIME type is served, the application does not set proper security headers. The absence of the X-Content-Type-Options: nosniff header allows browsers to perform content sniffing, potentially interpreting the file as executable content. Combined with the inline content disposition, this creates a scenario where browsers will render HTML and execute embedded JavaScript in the context of the application's origin.

Root Cause

The root cause is insufficient content-type validation and missing security headers in the asset delivery handler. The backend/handlers/assets.go file served files with their detected MIME type (or empty if detection failed) and always used inline disposition without the nosniff directive. Text-based formats containing active content (HTML, SVG, XHTML) were not treated as security-sensitive file types requiring special handling.

Attack Vector

The attack requires network access and low privileges (authenticated user). An authenticated attacker uploads a malicious HTML or SVG file as a note asset. The file contains JavaScript code designed to steal session tokens, perform API actions on behalf of the victim, or exfiltrate sensitive data. When another authenticated user navigates to the asset URL, the browser interprets the file as HTML/SVG, executes the embedded JavaScript, and the malicious script runs with full access to the victim's authenticated session and the application's API.

// Security patch from backend/handlers/assets.go
// Before: Files served inline with detected MIME type, no nosniff header
// After: Dangerous file types forced to download as application/octet-stream

 		}
 		return &huma.StreamResponse{
 			Body: func(ctx huma.Context) {
-				ctx.SetHeader("Content-Type", info.MimeType)
+				ctx.SetHeader("X-Content-Type-Options", "nosniff")
+				if info.MimeType == "" || info.MimeType == "text/html" || info.MimeType == "image/svg+xml" {
+					ctx.SetHeader("Content-Type", "application/octet-stream")
+					ctx.SetHeader(
+						"Content-Disposition",
+						fmt.Sprintf("attachment; filename=\"%s\"", asset.Name))
+				} else {
+					ctx.SetHeader("Content-Type", info.MimeType)
+					ctx.SetHeader(
+						"Content-Disposition",
+						fmt.Sprintf("inline; filename=\"%s\"", asset.Name))
+				}
 				ctx.SetHeader(
 					"Last-Modified",
 					core.TimeIntoHTTPFormat(info.LastModified))
-				ctx.SetHeader(
-					"Content-Disposition",
-					fmt.Sprintf("inline; filename=\"%s\"", asset.Name))
 				writer := ctx.BodyWriter()
 				io.Copy(writer, stream)
 				stream.Close()

Source: GitHub Commit Update

Detection Methods for CVE-2026-40262

Indicators of Compromise

• Uploaded assets with .html, .svg, .xhtml, or .xml extensions in the notes storage directory
• HTTP responses for asset URLs missing the X-Content-Type-Options header
• Web server logs showing unusual access patterns to asset URLs from different user sessions
• Presence of JavaScript code within uploaded SVG or HTML files

Detection Strategies

• Implement web application firewall (WAF) rules to detect and block uploads of files containing <script> tags or JavaScript event handlers
• Monitor asset upload activity for suspicious file types, particularly HTML, SVG, and XHTML
• Analyze HTTP response headers for missing security headers on asset delivery endpoints
• Deploy endpoint detection solutions to identify JavaScript execution from unexpected origins

Monitoring Recommendations

• Enable detailed logging for all file upload and asset access operations
• Set up alerts for uploads of text-based file types that could contain active content
• Monitor for cross-origin requests and unusual session activity patterns
• Track Content-Type and Content-Disposition headers in outbound responses

How to Mitigate CVE-2026-40262

Immediate Actions Required

• Upgrade Note Mark to version 0.19.2 or later immediately
• Audit existing uploaded assets for potentially malicious HTML, SVG, or XHTML files
• Review access logs to identify if any exploitation attempts have occurred
• Consider temporarily disabling file upload functionality until the patch is applied

Patch Information

The vulnerability has been fixed in Note Mark version 0.19.2. The patch adds the X-Content-Type-Options: nosniff header to all asset responses and forces potentially dangerous file types (HTML, SVG, and files with empty MIME types) to be served with Content-Type: application/octet-stream and attachment disposition, preventing browsers from rendering them inline. The fix is available in commit 6bb62842ccb956870b9bf183629eba95e326e5e3. For details, see the GitHub Security Advisory GHSA-9pr4-rf97-79qh and the GitHub Release v0.19.2.

Workarounds

• Configure a reverse proxy (nginx, Apache) to add X-Content-Type-Options: nosniff header to all responses from the asset delivery endpoint
• Implement file upload restrictions to block HTML, SVG, XHTML, and XML file types at the application or proxy level
• Serve uploaded assets from a separate subdomain or origin to isolate them from the main application's session cookies
• Use Content Security Policy (CSP) headers to restrict script execution sources

# Nginx configuration to add security headers for asset endpoints
location /assets/ {
    add_header X-Content-Type-Options "nosniff" always;
    add_header Content-Security-Policy "script-src 'none'" always;
    
    # Force download for potentially dangerous file types
    if ($request_filename ~* \.(html|svg|xhtml|xml)$) {
        add_header Content-Disposition "attachment" always;
        add_header Content-Type "application/octet-stream" always;
    }
}