Search criteria
8 vulnerabilities found for notesnook_desktop by streetwriters
CVE-2026-42090 (GCVE-0-2026-42090)
Vulnerability from nvd – Published: 2026-05-04 16:43 – Updated: 2026-05-05 03:56
VLAI?
Title
Notesnook: RCE via stored XSS in note export rendering
Summary
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.
Severity ?
9.6 (Critical)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/streetwriters/notesnook/securi… | x_refsource_CONFIRM |
| https://github.com/streetwriters/notesnook/releas… | x_refsource_MISC |
| https://github.com/streetwriters/notesnook/releas… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| streetwriters | notesnook |
Affected:
Notesnook Web/Desktop < 3.3.15
Affected: Notesnook iOS/Android < 3.3.20 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T03:56:38.973Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "notesnook",
"vendor": "streetwriters",
"versions": [
{
"status": "affected",
"version": "Notesnook Web/Desktop \u003c 3.3.15"
},
{
"status": "affected",
"version": "Notesnook iOS/Android \u003c 3.3.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Notesnook is a note-taking app focused on user privacy \u0026 ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T16:43:07.527Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-fjm8-jg78-89h4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-fjm8-jg78-89h4"
},
{
"name": "https://github.com/streetwriters/notesnook/releases/tag/3.3.20-android",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/streetwriters/notesnook/releases/tag/3.3.20-android"
},
{
"name": "https://github.com/streetwriters/notesnook/releases/tag/v3.3.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/streetwriters/notesnook/releases/tag/v3.3.15"
}
],
"source": {
"advisory": "GHSA-fjm8-jg78-89h4",
"discovery": "UNKNOWN"
},
"title": "Notesnook: RCE via stored XSS in note export rendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42090",
"datePublished": "2026-05-04T16:43:07.527Z",
"dateReserved": "2026-04-23T19:17:30.566Z",
"dateUpdated": "2026-05-05T03:56:38.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33976 (GCVE-0-2026-33976)
Vulnerability from nvd – Published: 2026-03-27 21:26 – Updated: 2026-04-03 03:55
VLAI?
Title
Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering
Summary
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using `contentDocument.write(...)`. Event-handler attributes such as `onload`, `onclick`, or `onmouseover` execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.
Severity ?
9.7 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/streetwriters/notesnook/securi… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| streetwriters | Notesnook Web/Desktop |
Affected:
< 3.3.11
|
|
| streetwriters | Notesnook iOS/Android |
Affected:
< 3.3.17
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33976",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T03:55:22.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Notesnook Web/Desktop",
"vendor": "streetwriters",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.11"
}
]
},
{
"product": "Notesnook iOS/Android",
"vendor": "streetwriters",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page\u2019s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using `contentDocument.write(...)`. Event-handler attributes such as `onload`, `onclick`, or `onmouseover` execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T21:26:10.127Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-f42f-phvp-43x5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-f42f-phvp-43x5"
}
],
"source": {
"advisory": "GHSA-f42f-phvp-43x5",
"discovery": "UNKNOWN"
},
"title": "Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33976",
"datePublished": "2026-03-27T21:26:10.127Z",
"dateReserved": "2026-03-24T22:20:06.210Z",
"dateUpdated": "2026-04-03T03:55:22.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33955 (GCVE-0-2026-33955)
Vulnerability from nvd – Published: 2026-03-27 21:27 – Updated: 2026-04-03 13:02
VLAI?
Title
Notesnook vulnerable to RCE via stored XSS in Note History diff viewer
Summary
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue.
Severity ?
8.6 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/streetwriters/notesnook/securi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| streetwriters | Notesnook Web/Desktop |
Affected:
< 3.3.11
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33955",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T03:55:21.973411Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:02:56.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Notesnook Web/Desktop",
"vendor": "streetwriters",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T21:27:31.554Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v"
}
],
"source": {
"advisory": "GHSA-45g3-cv93-q59v",
"discovery": "UNKNOWN"
},
"title": "Notesnook vulnerable to RCE via stored XSS in Note History diff viewer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33955",
"datePublished": "2026-03-27T21:27:31.554Z",
"dateReserved": "2026-03-24T19:50:52.106Z",
"dateUpdated": "2026-04-03T13:02:56.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31876 (GCVE-0-2026-31876)
Vulnerability from nvd – Published: 2026-03-11 18:17 – Updated: 2026-03-12 20:08
VLAI?
Title
Notesnook has Stored XSS via unsanitized Twitter/X embed URL in editor (`tweetToEmbed`)
Summary
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an <iframe>. This vulnerability is fixed in 3.3.9.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/streetwriters/notesnook/securi… | x_refsource_CONFIRM |
| https://github.com/streetwriters/notesnook/commit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| streetwriters | notesnook |
Affected:
< 3.3.9
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T20:08:06.045805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T20:08:12.048Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "notesnook",
"vendor": "streetwriters",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Notesnook is a note-taking app focused on user privacy \u0026 ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook\u0027s editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an \u003ciframe\u003e. This vulnerability is fixed in 3.3.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T18:17:08.142Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5"
},
{
"name": "https://github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7"
}
],
"source": {
"advisory": "GHSA-jprx-2w2h-4rh5",
"discovery": "UNKNOWN"
},
"title": "Notesnook has Stored XSS via unsanitized Twitter/X embed URL in editor (`tweetToEmbed`)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31876",
"datePublished": "2026-03-11T18:17:08.142Z",
"dateReserved": "2026-03-09T19:02:25.014Z",
"dateUpdated": "2026-03-12T20:08:12.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42090 (GCVE-0-2026-42090)
Vulnerability from cvelistv5 – Published: 2026-05-04 16:43 – Updated: 2026-05-05 03:56
VLAI?
Title
Notesnook: RCE via stored XSS in note export rendering
Summary
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.
Severity ?
9.6 (Critical)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/streetwriters/notesnook/securi… | x_refsource_CONFIRM |
| https://github.com/streetwriters/notesnook/releas… | x_refsource_MISC |
| https://github.com/streetwriters/notesnook/releas… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| streetwriters | notesnook |
Affected:
Notesnook Web/Desktop < 3.3.15
Affected: Notesnook iOS/Android < 3.3.20 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T03:56:38.973Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "notesnook",
"vendor": "streetwriters",
"versions": [
{
"status": "affected",
"version": "Notesnook Web/Desktop \u003c 3.3.15"
},
{
"status": "affected",
"version": "Notesnook iOS/Android \u003c 3.3.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Notesnook is a note-taking app focused on user privacy \u0026 ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T16:43:07.527Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-fjm8-jg78-89h4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-fjm8-jg78-89h4"
},
{
"name": "https://github.com/streetwriters/notesnook/releases/tag/3.3.20-android",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/streetwriters/notesnook/releases/tag/3.3.20-android"
},
{
"name": "https://github.com/streetwriters/notesnook/releases/tag/v3.3.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/streetwriters/notesnook/releases/tag/v3.3.15"
}
],
"source": {
"advisory": "GHSA-fjm8-jg78-89h4",
"discovery": "UNKNOWN"
},
"title": "Notesnook: RCE via stored XSS in note export rendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42090",
"datePublished": "2026-05-04T16:43:07.527Z",
"dateReserved": "2026-04-23T19:17:30.566Z",
"dateUpdated": "2026-05-05T03:56:38.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33955 (GCVE-0-2026-33955)
Vulnerability from cvelistv5 – Published: 2026-03-27 21:27 – Updated: 2026-04-03 13:02
VLAI?
Title
Notesnook vulnerable to RCE via stored XSS in Note History diff viewer
Summary
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue.
Severity ?
8.6 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/streetwriters/notesnook/securi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| streetwriters | Notesnook Web/Desktop |
Affected:
< 3.3.11
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33955",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T03:55:21.973411Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:02:56.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Notesnook Web/Desktop",
"vendor": "streetwriters",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T21:27:31.554Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v"
}
],
"source": {
"advisory": "GHSA-45g3-cv93-q59v",
"discovery": "UNKNOWN"
},
"title": "Notesnook vulnerable to RCE via stored XSS in Note History diff viewer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33955",
"datePublished": "2026-03-27T21:27:31.554Z",
"dateReserved": "2026-03-24T19:50:52.106Z",
"dateUpdated": "2026-04-03T13:02:56.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33976 (GCVE-0-2026-33976)
Vulnerability from cvelistv5 – Published: 2026-03-27 21:26 – Updated: 2026-04-03 03:55
VLAI?
Title
Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering
Summary
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using `contentDocument.write(...)`. Event-handler attributes such as `onload`, `onclick`, or `onmouseover` execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.
Severity ?
9.7 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/streetwriters/notesnook/securi… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| streetwriters | Notesnook Web/Desktop |
Affected:
< 3.3.11
|
|
| streetwriters | Notesnook iOS/Android |
Affected:
< 3.3.17
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33976",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T03:55:22.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Notesnook Web/Desktop",
"vendor": "streetwriters",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.11"
}
]
},
{
"product": "Notesnook iOS/Android",
"vendor": "streetwriters",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page\u2019s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using `contentDocument.write(...)`. Event-handler attributes such as `onload`, `onclick`, or `onmouseover` execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T21:26:10.127Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-f42f-phvp-43x5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-f42f-phvp-43x5"
}
],
"source": {
"advisory": "GHSA-f42f-phvp-43x5",
"discovery": "UNKNOWN"
},
"title": "Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33976",
"datePublished": "2026-03-27T21:26:10.127Z",
"dateReserved": "2026-03-24T22:20:06.210Z",
"dateUpdated": "2026-04-03T03:55:22.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31876 (GCVE-0-2026-31876)
Vulnerability from cvelistv5 – Published: 2026-03-11 18:17 – Updated: 2026-03-12 20:08
VLAI?
Title
Notesnook has Stored XSS via unsanitized Twitter/X embed URL in editor (`tweetToEmbed`)
Summary
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an <iframe>. This vulnerability is fixed in 3.3.9.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/streetwriters/notesnook/securi… | x_refsource_CONFIRM |
| https://github.com/streetwriters/notesnook/commit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| streetwriters | notesnook |
Affected:
< 3.3.9
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T20:08:06.045805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T20:08:12.048Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "notesnook",
"vendor": "streetwriters",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Notesnook is a note-taking app focused on user privacy \u0026 ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook\u0027s editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an \u003ciframe\u003e. This vulnerability is fixed in 3.3.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T18:17:08.142Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5"
},
{
"name": "https://github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7"
}
],
"source": {
"advisory": "GHSA-jprx-2w2h-4rh5",
"discovery": "UNKNOWN"
},
"title": "Notesnook has Stored XSS via unsanitized Twitter/X embed URL in editor (`tweetToEmbed`)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31876",
"datePublished": "2026-03-11T18:17:08.142Z",
"dateReserved": "2026-03-09T19:02:25.014Z",
"dateUpdated": "2026-03-12T20:08:12.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}