CVE-2026-42090

Name of the Vulnerable Software and Affected Versions Notesnook Web/Desktop versions prior to 3.3.15 Notesnook iOS/Android versions prior to 3.3.20

Description A stored Cross-Site Scripting (XSS) issue exists in the note export flow. The problem occurs because exported note fields, including title, headline, and content, are inserted into the generated HTML template without proper HTML escaping. When a note is exported to PDF, the application renders this HTML into a same-origin, unsandboxed iframe using iframe.srcdoc. This allows injected scripts to execute within the Notesnook origin. In the desktop application, this can be escalated to remote code execution (RCE) because Electron is configured with nodeIntegration: true and contextIsolation: false.

Recommendations Update Web/Desktop versions to 3.3.15. Update iOS/Android versions to 3.3.20.