X4Sh3S

**Name of the Vulnerable Software and Affected Versions** Notesnook versions prior to 3.3.9 **Description** A Stored Cross-Site Scripting (XSS) issue existed in Notesnook’s editor embed component when processing Twitter/X embed URLs. The `tweetToEmbed()` function within `component.tsx` directly incorporated user-provided URLs into an HTML string without proper escaping before assigning it to the `srcdoc` attribute of an `<iframe>`. This allowed for the injection of malicious scripts. **Recommendations** Update Notesnook to version 3.3.9 or later.