EUVD-2026-16872CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Description
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue.
Analysis
Cross-site scripting in Notesnook Web/Desktop versions prior to 3.3.11 escalates to remote code execution when combined with the application's backup restore feature. The vulnerability triggers when attacker-controlled note headers render through unsafe `dangerouslySetInnerHTML` in the history comparison viewer, exploiting Electron's `nodeIntegration: true` and `contextIsolation: false` configuration to execute arbitrary code on victim systems. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit deployed Notesnook versions across user base and document current version inventory. Within 7 days: Distribute Notesnook version 3.3.11 or later to all users and enforce upgrade via endpoint management if available; verify completion. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today