Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using dangerouslySetInnerHTML without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. Version 3.3.11 patches the issue.
AnalysisAI
Cross-site scripting in Notesnook Web/Desktop versions prior to 3.3.11 escalates to remote code execution when combined with the application's backup restore feature. The vulnerability triggers when attacker-controlled note headers render through unsafe dangerouslySetInnerHTML in the history comparison viewer, exploiting Electron's nodeIntegration: true and contextIsolation: false configuration to execute arbitrary code on victim systems. Attack requires local access and user interaction (CVSS AV:L/UI:R), but no authentication (PR:N). Vendor-released patch available in version 3.3.11; no public exploit or active exploitation confirmed at time of analysis.
Technical ContextAI
This vulnerability affects Notesnook Web/Desktop (cpe:2.3:a:streetwriters:notesnook_web/desktop), an Electron-based note-taking application. The root cause is improper neutralization of input during web page generation (CWE-79), specifically through React's dangerouslySetInnerHTML API used in the note history comparison viewer component. The escalation path from XSS to RCE exploits a dangerous Electron configuration: nodeIntegration: true allows renderer processes to access Node.js APIs, while contextIsolation: false disables the security boundary between application code and preload scripts. This configuration permits injected JavaScript to invoke Node.js modules like child_process or fs, converting a stored XSS into full system compromise. The attack vector involves the backup/restore feature, which processes attacker-controlled note content including malicious headers that bypass sanitization in the comparison viewer.
RemediationAI
Immediately upgrade Notesnook Web/Desktop to version 3.3.11 or later, which contains vendor-released patches addressing the unsafe dangerouslySetInnerHTML usage in the note history comparison viewer. The fix implements proper input sanitization for note headers before rendering and may include improvements to Electron security configuration. Users should update through the application's built-in update mechanism or download the latest version from official distribution channels. Until patching is complete, users should avoid restoring backup files from untrusted sources and exercise caution when using the note history comparison feature with notes from external collaborators. Organizations should prioritize updating desktop installations where the RCE escalation path exists. Refer to the vendor security advisory at https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v for additional guidance and release notes.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16872