Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.
AnalysisAI
Remote code execution in Notesnook Desktop (Electron-based) via stored XSS in the note export-to-PDF flow allows unauthenticated remote attackers to execute arbitrary code when a user opens a maliciously crafted note. The vulnerability stems from unescaped HTML in exported note fields (title, headline, content) that execute in an Electron iframe with nodeIntegration enabled and contextIsolation disabled, escalating browser-based XSS to full RCE. Affects Notesnook Web/Desktop <3.3.15 and iOS/Android <3.3.20. CVSS 9.6 with changed scope (S:C) reflects privilege escalation from browser context to system-level code execution. EPSS and KEV data not provided, but requires user interaction (UI:R) to export/view the malicious note, limiting automated exploitation.
Technical ContextAI
Notesnook is a cross-platform note-taking application built on Electron for desktop and native mobile frameworks. The vulnerability exploits the PDF export feature's HTML rendering pipeline. When exporting notes to PDF, the application generates an HTML template by directly inserting user-controlled fields (title, headline, note content) without HTML entity encoding. This HTML is then rendered into an iframe using the srcdoc attribute (iframe.srcdoc = ...), which loads content in the same origin as the parent application. The root CWE-79 (Cross-Site Scripting) is escalated to RCE through Electron's insecure configuration: nodeIntegration: true grants iframe content access to Node.js APIs including require(), child_process, and fs modules, while contextIsolation: false removes the security boundary between web content and Electron's privileged context. This configuration pattern directly violates Electron security best practices (Electron Security Checklist items 2 and 3). The affected CPE cpe:2.3:a:streetwriters:notesnook:*:*:*:*:*:*:*:* confirms streetwriters as vendor. Mobile versions (iOS/Android) are also vulnerable to the underlying XSS but lack the Electron-specific RCE vector, limiting impact to information disclosure within the WebView context.
RemediationAI
Upgrade immediately to Notesnook Desktop/Web version 3.3.15 or later (https://github.com/streetwriters/notesnook/releases/tag/v3.3.15) and Notesnook iOS/Android version 3.3.20 or later (https://github.com/streetwriters/notesnook/releases/tag/3.3.20-android). Desktop users face critical RCE exposure and should prioritize this update. Until patching is complete, implement these compensating controls: (1) Disable or avoid using the Export to PDF feature entirely-this completely eliminates the attack vector but removes key functionality; (2) Do not import notes from untrusted sources or shared note repositories until upgraded; (3) Review existing notes for suspicious HTML/JavaScript content in title and body fields, particularly script tags, event handlers (onerror, onload), or data: URIs; (4) On Desktop, consider running Notesnook in a sandboxed environment (VM, container, or restricted user account) to contain potential RCE impact, though this adds operational overhead. No server-side or network-level mitigations are effective since the vulnerability exists in client-side rendering logic. Organizations using Notesnook in shared/collaborative environments should audit note access logs and treat all notes created or modified before patch deployment as potentially malicious. The vendor's coordinated cross-platform patch release suggests no architectural workarounds exist-upgrading is the definitive solution.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27019