Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel

3.7 / 10

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2.

Basic Information

ID CVE-2026-40263

Source GitHub_M

Published Apr 16, 2026 at 23:53

Affected Product

Vendor enchant97

Product note-mark

Version < 0.19.2

Affected Versions enchant97 note-mark < 0.19.2

CWE Classification

CWE-208

References

{
    "lastseen": "",
    "description": "Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2.",
    "published": "2026-04-16T23:53:50.195Z",
    "modified": "2026-04-16T23:53:50.195Z",
    "type": "cve",
    "title": "Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel",
    "source": "GitHub_M",
    "references": "https://github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp\nhttps://github.com/enchant97/note-mark/commit/cf4c6f6acf70b569d80396d323b067c00d45c034",
    "id": "CVE-2026-40263",
    "bulletinFamily": "",
    "cwe": [
        "CWE-208"
    ],
    "cvelist": null,
    "sourceData": "enchant97 note-mark < 0.19.2",
    "sourceHref": "",
    "cvss": {
        "score": 3.7,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "note-mark",
    "version": "< 0.19.2",
    "vendor": "enchant97",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel_CVE-2026-40263