Description

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2.

INFO

Published Date :

2026-04-16T23:53:50.195Z

Last Modified :

2026-04-16T23:53:50.195Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40263 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40263.

URL Resource
https://github.com/enchant97/note-mark/commit/cf4c6f6acf70b569d80396d323b067c00d45c034 cve-icon cve-icon
https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact