Skip to main content

Notesnook EUVDEUVD-2026-27019

| CVE-2026-42090 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-05-04 GitHub_M
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch available
May 04, 2026 - 18:32 EUVD
Source Code Evidence Fetched
May 04, 2026 - 17:47 vuln.today
Analysis Generated
May 04, 2026 - 17:47 vuln.today
Patch released
May 04, 2026 - 17:16 nvd
Patch available
EUVD ID Assigned
May 04, 2026 - 17:15 euvd
EUVD-2026-27019
Analysis Generated
May 04, 2026 - 17:15 vuln.today
CVE Published
May 04, 2026 - 16:43 nvd
CRITICAL 9.6

DescriptionGitHub Advisory

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.

AnalysisAI

Remote code execution in Notesnook Desktop (Electron-based) via stored XSS in the note export-to-PDF flow allows unauthenticated remote attackers to execute arbitrary code when a user opens a maliciously crafted note. The vulnerability stems from unescaped HTML in exported note fields (title, headline, content) that execute in an Electron iframe with nodeIntegration enabled and contextIsolation disabled, escalating browser-based XSS to full RCE. Affects Notesnook Web/Desktop <3.3.15 and iOS/Android <3.3.20. CVSS 9.6 with changed scope (S:C) reflects privilege escalation from browser context to system-level code execution. EPSS and KEV data not provided, but requires user interaction (UI:R) to export/view the malicious note, limiting automated exploitation.

Technical ContextAI

Notesnook is a cross-platform note-taking application built on Electron for desktop and native mobile frameworks. The vulnerability exploits the PDF export feature's HTML rendering pipeline. When exporting notes to PDF, the application generates an HTML template by directly inserting user-controlled fields (title, headline, note content) without HTML entity encoding. This HTML is then rendered into an iframe using the srcdoc attribute (iframe.srcdoc = ...), which loads content in the same origin as the parent application. The root CWE-79 (Cross-Site Scripting) is escalated to RCE through Electron's insecure configuration: nodeIntegration: true grants iframe content access to Node.js APIs including require(), child_process, and fs modules, while contextIsolation: false removes the security boundary between web content and Electron's privileged context. This configuration pattern directly violates Electron security best practices (Electron Security Checklist items 2 and 3). The affected CPE cpe:2.3:a:streetwriters:notesnook:*:*:*:*:*:*:*:* confirms streetwriters as vendor. Mobile versions (iOS/Android) are also vulnerable to the underlying XSS but lack the Electron-specific RCE vector, limiting impact to information disclosure within the WebView context.

RemediationAI

Upgrade immediately to Notesnook Desktop/Web version 3.3.15 or later (https://github.com/streetwriters/notesnook/releases/tag/v3.3.15) and Notesnook iOS/Android version 3.3.20 or later (https://github.com/streetwriters/notesnook/releases/tag/3.3.20-android). Desktop users face critical RCE exposure and should prioritize this update. Until patching is complete, implement these compensating controls: (1) Disable or avoid using the Export to PDF feature entirely-this completely eliminates the attack vector but removes key functionality; (2) Do not import notes from untrusted sources or shared note repositories until upgraded; (3) Review existing notes for suspicious HTML/JavaScript content in title and body fields, particularly script tags, event handlers (onerror, onload), or data: URIs; (4) On Desktop, consider running Notesnook in a sandboxed environment (VM, container, or restricted user account) to contain potential RCE impact, though this adds operational overhead. No server-side or network-level mitigations are effective since the vulnerability exists in client-side rendering logic. Organizations using Notesnook in shared/collaborative environments should audit note access logs and treat all notes created or modified before patch deployment as potentially malicious. The vendor's coordinated cross-platform patch release suggests no architectural workarounds exist-upgrading is the definitive solution.

Share

EUVD-2026-27019 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy