Description
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.
Published: 2026-05-04
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Notesnook, a privacy‑focused note‑taking application, contains a stored cross‑site scripting flaw in the export flow. Exported note fields such as title, headline, and content are inserted into an HTML template without escaping. When the note is later exported to PDF, Notesnook renders that HTML in an unsandboxed, same‑origin iframe using iframe.srcdoc. In desktop versions built with Electron, nodeIntegration is enabled and contextIsolation is disabled, allowing injected script to run with full Node.js privileges and thus achieving remote code execution on the victim’s machine.

Affected Systems

The vulnerability affects Streetwriters Notesnook Web and Desktop releases before version 3.3.15 and iOS/Android releases before version 3.3.20. Any user running these versions and exporting notes that contain attacker‑supplied JavaScript is at risk.

Risk and Exploitability

The flaw carries a CVSS score of 9.6, indicating critical severity. No EPSS data is available, and the issue is not listed in CISA’s KEV catalog. The attack requires the ability to create or influence a note that will be exported; this requirement is inferred from the description of the export flow. Because the injected payload is stored and executed locally, the exploitation probability is high for users who export notes containing malicious content, making this a serious local vulnerability.

Generated by OpenCVE AI on May 4, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Notesnook Web/Desktop to version 3.3.15 or later.
  • Upgrade Notesnook iOS/Android to version 3.3.20 or later.
  • Avoid exporting notes that contain untrusted or unsanitized HTML until patches are applied.

Generated by OpenCVE AI on May 4, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Streetwriters
Streetwriters notesnook
Vendors & Products Streetwriters
Streetwriters notesnook

Mon, 04 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.
Title Notesnook: RCE via stored XSS in note export rendering
Weaknesses CWE-79
CWE-94
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Streetwriters Notesnook
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T03:56:38.973Z

Reserved: 2026-04-23T19:17:30.566Z

Link: CVE-2026-42090

cve-icon Vulnrichment

Updated: 2026-05-04T17:14:24.849Z

cve-icon NVD

Status : Received

Published: 2026-05-04T17:16:25.190

Modified: 2026-05-04T17:16:25.190

Link: CVE-2026-42090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:00:07Z

Weaknesses