CVE-2026-40263
LOWNote Mark: Username Enumeration via Login Endpoint Timing Side-Channel
Title source: cnaDescription
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp
X_Refsource_Misc x_refsource_misc
https://github.com/enchant97/note-mark/commit/cf4c6f6acf70b569d80396d323b067c00d45c034
Scores
CVSS v3
3.7
EPSS
0.0020
EPSS Percentile
9.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-208
Status
published
Products (2)
enchant97/note-mark
0 - 0.19.2-0.20260411145025-cf4c6f6acf70Go
enchant97/note-mark
< 0.19.2
Published
Apr 17, 2026
Tracked Since
Apr 17, 2026