CVE-2026-40263

Published: Apr 16, 2026

Modified: Apr 17, 2026

PUBLISHED

CVSS v3.1

3.7

LOW

Description

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2.

Vendor	Product	Versions
enchant97	note-mark	affected `< 0.19.2`

Weaknesses (CWE)

CWE-208

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp

x_refsource_CONFIRM

https://github.com/enchant97/note-mark/commit/cf4c6f6acf70b569d80396d323b067c00d45c034

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-40263

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References