CVE-2026-33976

Name of the Vulnerable Software and Affected Versions Notesnook versions prior to 3.3.11 (Web/Desktop) and prior to 3.3.17 (Android/iOS)

Description Notesnook is a note-taking app. A stored cross-site scripting (XSS) issue in the Web Clipper rendering flow can be exploited to achieve remote code execution (RCE) in the desktop application. The root cause is the preservation of attacker-controlled attributes from the source page’s root element within web-clip HTML. When these clips are opened, Notesnook renders the HTML into a same-origin, unsandboxed iframe using contentDocument.write(...). Event-handler attributes like onload, onclick, or onmouseover are then executed within the Notesnook origin. In the desktop app, this leads to RCE because Electron is configured with nodeIntegration: true and contextIsolation: false.

Recommendations Update to version 3.3.11 for Web/Desktop. Update to version 3.3.17 for Android/iOS.