CVE-2026-31876

Name of the Vulnerable Software and Affected Versions Notesnook versions prior to 3.3.9

Description A Stored Cross-Site Scripting (XSS) issue existed in Notesnook’s editor embed component when processing Twitter/X embed URLs. The tweetToEmbed() function within component.tsx directly incorporated user-provided URLs into an HTML string without proper escaping before assigning it to the srcdoc attribute of an <iframe>. This allowed for the injection of malicious scripts.

Recommendations Update Notesnook to version 3.3.9 or later.