Description
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip metadata is concatenated into HTML without escaping and then rendered with innerHTML inside the mobile share editor WebView. An attacker can control the shared title metadata (for example through Android/iOS share metadata such as TITLE / SUBJECT, or through link-preview title data) and inject HTML such as </a><img src=x onerror=...>. When the victim opens the Notesnook share flow and selects Web clip, the payload is inserted into the generated HTML and executed in the mobile editor WebView. This issue has been patched in version 3.3.17.
Published: 2026-04-01
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS) in Notesnook mobile share editor
Action: Immediate Patch
AI Analysis

Impact

A stored XSS vulnerability exists in the Notesnook mobile share and web clip flow. Attacker-controlled clip metadata, such as the share title, is concatenated into HTML without escaping and then rendered with innerHTML inside the app’s WebView. When a user opens the share flow and selects the web clip option, the malicious payload is injected into the generated HTML and executed in the editor WebView, allowing the attacker to run arbitrary JavaScript within the Notesnook application. This can lead to session hijacking, data theft, or execution of malicious code on the device. The weakness is a typical cross‑site scripting flaw (CWE‑79).

Affected Systems

The vulnerability affects the Notesnook note‑taking application developed by Streetwriters. All releases prior to version 3.3.17 on both Android and iOS platforms are impacted. Users of earlier builds should verify their current version against the published release notes.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. No EPSS score is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is likely social‑engineering based, whereby an attacker crafts a malicious title or link preview that is shared with a victim. Because the payload is stored and executed when the victim opens the share flow, an unauthenticated attacker who can influence the share metadata can trigger the exploit. The risk to confidentiality, integrity, or availability depends on the JavaScript executed by the attacker, but the exploitation requires the victim to invoke the share editor with the crafted data.

Generated by OpenCVE AI on April 2, 2026 at 03:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Notesnook to version 3.3.17 or later.
  • If an upgrade is not possible, refrain from using the Web clip feature until a patch is available.
  • Ensure that any URLs or metadata shared within the app are from trusted sources and not manipulated by malicious actors.

Generated by OpenCVE AI on April 2, 2026 at 03:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Streetwriters notesnook Mobile
CPEs cpe:2.3:a:streetwriters:notesnook_mobile:*:*:*:*:*:android:*:*
cpe:2.3:a:streetwriters:notesnook_mobile:*:*:*:*:*:iphone_os:*:*
Vendors & Products Streetwriters notesnook Mobile

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Streetwriters
Streetwriters notesnook
Vendors & Products Streetwriters
Streetwriters notesnook

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip metadata is concatenated into HTML without escaping and then rendered with innerHTML inside the mobile share editor WebView. An attacker can control the shared title metadata (for example through Android/iOS share metadata such as TITLE / SUBJECT, or through link-preview title data) and inject HTML such as </a><img src=x onerror=...>. When the victim opens the Notesnook share flow and selects Web clip, the payload is inserted into the generated HTML and executed in the mobile editor WebView. This issue has been patched in version 3.3.17.
Title Notesnook: Stored XSS in mobile share editor via unescaped web clip title metadata
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Streetwriters Notesnook Notesnook Mobile
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T19:07:24.523Z

Reserved: 2026-03-24T22:20:06.210Z

Link: CVE-2026-33978

cve-icon Vulnrichment

Updated: 2026-04-01T19:07:21.163Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T17:28:39.660

Modified: 2026-04-21T00:12:14.177

Link: CVE-2026-33978

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:17:17Z

Weaknesses