Description
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue.
Published: 2026-03-27
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the note history comparison viewer of the Notesnook web and desktop apps. Attackers can insert malicious HTML in a note header, which is rendered with dangerouslySetInnerHTML without sanitization. When the desktop application subsequently uses the full backup and restore feature, the embedded script runs inside Electron because node integration is enabled and context isolation is disabled, allowing the attacker to execute arbitrary code on the victim's machine.

Affected Systems

All users of the Notesnook web and desktop client with versions earlier than 3.3.11 are impacted. This includes the streetwriters:Notesnook Web/Desktop product line. Upgrading to 3.3.11 or later removes the flaw.

Risk and Exploitability

The CVSS score is 8.6, indicating a high severity. EPSS is below 1%, suggesting a low probability of widespread exploitation at present. The issue is not listed in CISA’s KEV catalog. The likely attack path involves an adversary crafting a malicious note or note history entry that a legitimate user opens; the script then executes in the desktop context. Because the vulnerability requires the desktop Electron environment, but the initial trigger occurs through the web interface, the attack can be performed against an attacker’s own machine or via a compromised colleague’s session. The combination of a stored XSS and insecure Electron settings turns the flaw into a remote code execution vector.

Generated by OpenCVE AI on March 31, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install version 3.3.11 or newer of the Notesnook web and desktop applications.
  • If an upgrade is not immediately possible, remove or disable the full backup and restore feature in the desktop client to break the execution chain.
  • If using a browser‑based interface, restrict note share permissions to trusted users and audit for unexpected note header content.

Generated by OpenCVE AI on March 31, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Streetwriters notesnook Desktop
CPEs cpe:2.3:a:streetwriters:notesnook_desktop:*:*:*:*:*:*:*:*
Vendors & Products Streetwriters notesnook Desktop

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Streetwriters
Streetwriters notesnook Web/desktop
Vendors & Products Streetwriters
Streetwriters notesnook Web/desktop

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue.
Title Notesnook vulnerable to RCE via stored XSS in Note History diff viewer
Weaknesses CWE-79
CWE-94
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Streetwriters Notesnook Desktop Notesnook Web/desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T13:02:56.898Z

Reserved: 2026-03-24T19:50:52.106Z

Link: CVE-2026-33955

cve-icon Vulnrichment

Updated: 2026-03-30T18:40:06.902Z

cve-icon NVD

Status : Modified

Published: 2026-03-27T22:16:22.083

Modified: 2026-04-02T14:16:30.127

Link: CVE-2026-33955

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:36Z

Weaknesses