EUVD-2026-16874CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using contentDocument.write(...). Event-handler attributes such as onload, onclick, or onmouseover execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.
AnalysisAI
Remote code execution via stored XSS in Notesnook Web Clipper affects all platforms prior to version 3.3.11 (Web/Desktop) and 3.3.17 (Android/iOS). Attackers can inject malicious HTML attributes into clipped web content that execute JavaScript in the application's security context when victims open the clip. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Victim must use Notesnook Web/Desktop (before v3.3.11) or Android/iOS (before v3.3.17). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Despite the Critical 9.6 CVSS score, real-world risk requires contextual interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker creates a malicious webpage containing a root HTML element with embedded event handlers such as <html onload='malicious_code'> and induces a Notesnook user to clip this page using the Web Clipper browser extension, perhaps by disguising it as legitimate research content or documentation. When the victim later opens the saved clip within the Notesnook desktop application, the unsanitized onload attribute executes arbitrary JavaScript in the application's security context. … |
| Remediation | Vendor-released patch: Upgrade immediately to Notesnook version 3.3.11 for Web/Desktop platforms or version 3.3.17 for Android/iOS mobile applications. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Notesnook Web Clipper installations across the organization (web, desktop, Android, iOS) and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Sandbox escape in Google Chrome on iOS before 149.0.7827.53 can be triggered by a remote attacker who lures a user to a
Code injection in the anyquery chrome_tabs plugin (and Brave/Edge/Safari variants) on macOS allows an authenticated SQL
Remote code execution in Google Chrome for iOS versions prior to 149.0.7827.53 allows a remote attacker to execute arbit
Remote code execution in Google Chrome for iOS prior to version 149.0.7827.53 allows a remote attacker to execute arbitr
Remote code execution in Google Chrome for iOS before 149.0.7827.53 allows a remote attacker to execute arbitrary code b
Share
External POC / Exploit Code
Leaving vuln.today