Skip to main content

Apple CVE-2026-33978

| EUVDEUVD-2026-17962 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-01 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.3.17
EUVD ID Assigned
Apr 01, 2026 - 17:30 euvd
EUVD-2026-17962
Analysis Generated
Apr 01, 2026 - 17:30 vuln.today
CVE Published
Apr 01, 2026 - 16:11 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip metadata is concatenated into HTML without escaping and then rendered with innerHTML inside the mobile share editor WebView. An attacker can control the shared title metadata (for example through Android/iOS share metadata such as TITLE / SUBJECT, or through link-preview title data) and inject HTML such as </a><img src=x onerror=...>. When the victim opens the Notesnook share flow and selects Web clip, the payload is inserted into the generated HTML and executed in the mobile editor WebView. This issue has been patched in version 3.3.17.

AnalysisAI

Stored cross-site scripting (XSS) in Notesnook mobile versions prior to 3.3.17 allows remote attackers to execute arbitrary JavaScript in the share editor WebView by injecting malicious HTML through unescaped clip metadata (title, subject, or link-preview data). When a victim opens the Notesnook share flow and selects Web clip, the attacker's payload executes with access to local context and user data. No public exploit code or active exploitation has been confirmed, though the vulnerability requires user interaction to trigger.

Technical ContextAI

The vulnerability exists in Notesnook's mobile share and web clip flow, which processes metadata (title, subject fields) from Android/iOS share intents and link previews. The application concatenates this attacker-controlled metadata directly into HTML markup that is subsequently rendered using innerHTML within a mobile editor WebView, without performing HTML entity encoding or sanitization. This is a classic stored XSS flaw (CWE-79) where untrusted data is inserted into a dynamic HTML context without output encoding. The affected product is Streetwriters Notesnook across mobile platforms (CPE: cpe:2.3:a:streetwriters:notesnook:*:*:*:*:*:*:*:*), with the vulnerability eliminated in version 3.3.17.

RemediationAI

Vendor-released patch: Notesnook version 3.3.17 or later. Users of Notesnook on Android and iOS should upgrade to version 3.3.17 or a later release immediately; the application should auto-update via the Google Play Store and Apple App Store. The patch corrects the vulnerability by HTML-escaping clip metadata before rendering it in the editor WebView, eliminating the XSS injection point. Users unable to upgrade immediately should avoid opening suspicious shared content (URLs with unusual titles or metadata) in the Notesnook share flow until patching is complete. No workarounds short of avoiding the web clip share flow are documented. Consult the official advisory at https://github.com/streetwriters/notesnook/security/advisories/GHSA-f27j-fqc6-v7pm for confirmation and release notes.

Share

CVE-2026-33978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy