Description
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using `contentDocument.write(...)`. Event-handler attributes such as `onload`, `onclick`, or `onmouseover` execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.
Published: 2026-03-27
Score: 9.7 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Notesnook, a note‑taking application, had a stored cross‑site scripting flaw in its Web Clipper rendering flow that can be elevated to full remote code execution on the victim’s machine. The clipper accepts attacker‑controlled attributes from the original page’s root element and stores them in the generated clip HTML. When the clip is later opened, Notesnook writes that HTML into an unsandboxed iframe with the same origin using contentDocument.write. Any event‑handler attributes—such as onload, onclick, or onmouseover—execute in the Notesnook origin. On desktop, the Electron runtime is configured with nodeIntegration set to true and contextIsolation set to false, so the injected code gains full access to the host system, resulting in complete compromise.

Affected Systems

The affected products are streetwriters’ Notesnook Web/Desktop and the mobile iOS/Android apps. All pre‑update releases before version 3.3.11 on the Web/Desktop build and before version 3.3.17 on the Android/iOS builds are vulnerable. The patches that fix the issue are released as 3.3.11 for Web/Desktop and 3.3.17 for Android/iOS.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.7, indicating critical severity, while the EPSS score is below 1 %, suggesting a low likelihood of active exploitation within the current threat landscape. Notesnook is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a malicious page to a victim’s Web Clipper; the victim must then open the stored clip, at which point the unsandboxed iframe runs the injected code with full Electron privileges, enabling remote code execution.

Generated by OpenCVE AI on March 31, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update to Notesnook Web/Desktop (version 3.3.11 or newer).
  • Apply the latest update to Notesnook Android/iOS (version 3.3.17 or newer).
  • Verify that all users have updated to the patched versions to eliminate the attack surface.

Generated by OpenCVE AI on March 31, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Streetwriters notesnook Desktop
Streetwriters notesnook Mobile
CPEs cpe:2.3:a:streetwriters:notesnook_desktop:*:*:*:*:*:*:*:*
cpe:2.3:a:streetwriters:notesnook_mobile:*:*:*:*:*:android:*:*
cpe:2.3:a:streetwriters:notesnook_mobile:*:*:*:*:*:iphone_os:*:*
Vendors & Products Streetwriters notesnook Desktop
Streetwriters notesnook Mobile

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Streetwriters
Streetwriters notesnook Ios/android
Streetwriters notesnook Web/desktop
Vendors & Products Streetwriters
Streetwriters notesnook Ios/android
Streetwriters notesnook Web/desktop

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using `contentDocument.write(...)`. Event-handler attributes such as `onload`, `onclick`, or `onmouseover` execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.
Title Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering
Weaknesses CWE-79
CWE-94
References
Metrics cvssV3_1

{'score': 9.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Streetwriters Notesnook Desktop Notesnook Ios/android Notesnook Mobile Notesnook Web/desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T03:55:22.486Z

Reserved: 2026-03-24T22:20:06.210Z

Link: CVE-2026-33976

cve-icon Vulnrichment

Updated: 2026-03-30T15:38:52.437Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T22:16:22.250

Modified: 2026-03-31T18:21:36.440

Link: CVE-2026-33976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:37Z

Weaknesses