Skip to main content

Notesnook Web Desktop

1 CVEs product

Monthly

CVE-2026-33955 HIGH PATCH This Week

Cross-site scripting in Notesnook Web/Desktop versions prior to 3.3.11 escalates to remote code execution when combined with the application's backup restore feature. The vulnerability triggers when attacker-controlled note headers render through unsafe `dangerouslySetInnerHTML` in the history comparison viewer, exploiting Electron's `nodeIntegration: true` and `contextIsolation: false` configuration to execute arbitrary code on victim systems. Attack requires local access and user interaction (CVSS AV:L/UI:R), but no authentication (PR:N). Vendor-released patch available in version 3.3.11; no public exploit or active exploitation confirmed at time of analysis.

RCE XSS Notesnook Web Desktop
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.1%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Cross-site scripting in Notesnook Web/Desktop versions prior to 3.3.11 escalates to remote code execution when combined with the application's backup restore feature. The vulnerability triggers when attacker-controlled note headers render through unsafe `dangerouslySetInnerHTML` in the history comparison viewer, exploiting Electron's `nodeIntegration: true` and `contextIsolation: false` configuration to execute arbitrary code on victim systems. Attack requires local access and user interaction (CVSS AV:L/UI:R), but no authentication (PR:N). Vendor-released patch available in version 3.3.11; no public exploit or active exploitation confirmed at time of analysis.

RCE XSS Notesnook Web Desktop
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy