Prior to version 3.3.9, Notesnook’s editor allowed users to embed Twitter/X URLs directly into a note. The tweetToEmbed() function in component.tsx concatenated the supplied URL into an HTML string that was then assigned to the srcdoc attribute of an iframe. Because the URL was not sanitized, an attacker could inject malicious JavaScript into that string. When the note is later viewed, the embedded script runs in the victim’s browser context, which can lead to session hijacking, credential theft, or other arbitrary code execution. This flaw is a classic stored Cross‑Site Scripting vulnerability classified as CWE‑79.

All releases of the Notesnook desktop, Android, and iPhone OS applications issued before version 3.3.9 are affected. The Common Platform Enumeration strings confirm coverage of the desktop, Android, and iOS builds under the streetwriters:notesnook vendor. No specific sub‑versions are listed, so the assumption is that every build up to but not including 3.3.9 contains the flaw.

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low current probability of exploitation. The vulnerability is not present in the CISA KEV catalog. Exploitation requires an attacker to create or inject a malicious note including the crafted Twitter/X embed URL. When any user, including the note owner, opens that note, the injected code executes within the Notesnook application. The likely attack vector is inferred to be Local XSS within the application environment; this inference is drawn from the description of the stored nature of the flaw and the requirement that the user open the compromised note.