CVE-2026-33955

Name of the Vulnerable Software and Affected Versions Notesnook versions prior to 3.3.11

Description Notesnook is a note-taking app with a cross-site scripting issue present in the note history comparison viewer on Web/Desktop platforms. This issue can lead to remote code execution in the desktop application. The issue occurs when an attacker-controlled note header is displayed using the dangerouslySetInnerHTML function without proper security measures. The desktop application's Electron configuration, with nodeIntegration set to true and contextIsolation set to false, allows for the escalation to remote code execution when combined with the full backup and restore feature. The vulnerable function is dangerouslySetInnerHTML. The vulnerable parameter is the note header.

Recommendations Update Notesnook to version 3.3.11 or later.