CVE-2026-33976

Summary

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using contentDocument.write(...). Event-handler attributes such as onload, onclick, or onmouseover execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.

Affected Software

VendorProductVersion RangeStatus
streetwritersNotesnook Web/Desktop< 3.3.11affected
streetwritersNotesnook iOS/Android< 3.3.17affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References