Skip to main content

Notesnook Web Desktop CVE-2026-33955

| EUVDEUVD-2026-16872 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-27 GitHub_M
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:11 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.3.11
EUVD ID Assigned
Mar 27, 2026 - 22:00 euvd
EUVD-2026-16872
Analysis Generated
Mar 27, 2026 - 22:00 vuln.today
CVE Published
Mar 27, 2026 - 21:27 nvd
HIGH 8.6

DescriptionGitHub Advisory

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using dangerouslySetInnerHTML without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. Version 3.3.11 patches the issue.

AnalysisAI

Cross-site scripting in Notesnook Web/Desktop versions prior to 3.3.11 escalates to remote code execution when combined with the application's backup restore feature. The vulnerability triggers when attacker-controlled note headers render through unsafe dangerouslySetInnerHTML in the history comparison viewer, exploiting Electron's nodeIntegration: true and contextIsolation: false configuration to execute arbitrary code on victim systems. Attack requires local access and user interaction (CVSS AV:L/UI:R), but no authentication (PR:N). Vendor-released patch available in version 3.3.11; no public exploit or active exploitation confirmed at time of analysis.

Technical ContextAI

This vulnerability affects Notesnook Web/Desktop (cpe:2.3:a:streetwriters:notesnook_web/desktop), an Electron-based note-taking application. The root cause is improper neutralization of input during web page generation (CWE-79), specifically through React's dangerouslySetInnerHTML API used in the note history comparison viewer component. The escalation path from XSS to RCE exploits a dangerous Electron configuration: nodeIntegration: true allows renderer processes to access Node.js APIs, while contextIsolation: false disables the security boundary between application code and preload scripts. This configuration permits injected JavaScript to invoke Node.js modules like child_process or fs, converting a stored XSS into full system compromise. The attack vector involves the backup/restore feature, which processes attacker-controlled note content including malicious headers that bypass sanitization in the comparison viewer.

RemediationAI

Immediately upgrade Notesnook Web/Desktop to version 3.3.11 or later, which contains vendor-released patches addressing the unsafe dangerouslySetInnerHTML usage in the note history comparison viewer. The fix implements proper input sanitization for note headers before rendering and may include improvements to Electron security configuration. Users should update through the application's built-in update mechanism or download the latest version from official distribution channels. Until patching is complete, users should avoid restoring backup files from untrusted sources and exercise caution when using the note history comparison feature with notes from external collaborators. Organizations should prioritize updating desktop installations where the RCE escalation path exists. Refer to the vendor security advisory at https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v for additional guidance and release notes.

Share

CVE-2026-33955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy