Refine your search
3 vulnerabilities found for notesnook by streetwriters
CVE-2026-42090 (GCVE-0-2026-42090)
Vulnerability from cvelistv5
Published
2026-05-04 16:43
Modified
2026-05-05 03:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| streetwriters | notesnook |
Version: Notesnook Web/Desktop < 3.3.15 Version: Notesnook iOS/Android < 3.3.20 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T03:56:38.973Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "notesnook",
"vendor": "streetwriters",
"versions": [
{
"status": "affected",
"version": "Notesnook Web/Desktop \u003c 3.3.15"
},
{
"status": "affected",
"version": "Notesnook iOS/Android \u003c 3.3.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Notesnook is a note-taking app focused on user privacy \u0026 ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T16:43:07.527Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-fjm8-jg78-89h4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-fjm8-jg78-89h4"
},
{
"name": "https://github.com/streetwriters/notesnook/releases/tag/3.3.20-android",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/streetwriters/notesnook/releases/tag/3.3.20-android"
},
{
"name": "https://github.com/streetwriters/notesnook/releases/tag/v3.3.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/streetwriters/notesnook/releases/tag/v3.3.15"
}
],
"source": {
"advisory": "GHSA-fjm8-jg78-89h4",
"discovery": "UNKNOWN"
},
"title": "Notesnook: RCE via stored XSS in note export rendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42090",
"datePublished": "2026-05-04T16:43:07.527Z",
"dateReserved": "2026-04-23T19:17:30.566Z",
"dateUpdated": "2026-05-05T03:56:38.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33978 (GCVE-0-2026-33978)
Vulnerability from cvelistv5
Published
2026-04-01 16:11
Modified
2026-04-01 19:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip metadata is concatenated into HTML without escaping and then rendered with innerHTML inside the mobile share editor WebView. An attacker can control the shared title metadata (for example through Android/iOS share metadata such as TITLE / SUBJECT, or through link-preview title data) and inject HTML such as </a><img src=x onerror=...>. When the victim opens the Notesnook share flow and selects Web clip, the payload is inserted into the generated HTML and executed in the mobile editor WebView. This issue has been patched in version 3.3.17.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| streetwriters | notesnook |
Version: < 3.3.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33978",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T19:07:14.241983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:07:24.523Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "notesnook",
"vendor": "streetwriters",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Notesnook is a note-taking app focused on user privacy \u0026 ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip metadata is concatenated into HTML without escaping and then rendered with innerHTML inside the mobile share editor WebView. An attacker can control the shared title metadata (for example through Android/iOS share metadata such as TITLE / SUBJECT, or through link-preview title data) and inject HTML such as \u003c/a\u003e\u003cimg src=x onerror=...\u003e. When the victim opens the Notesnook share flow and selects Web clip, the payload is inserted into the generated HTML and executed in the mobile editor WebView. This issue has been patched in version 3.3.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:11:56.610Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-f27j-fqc6-v7pm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-f27j-fqc6-v7pm"
},
{
"name": "https://github.com/streetwriters/notesnook/commit/fc8807f74db5539036c5e58d3d68a11ea54098db",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/streetwriters/notesnook/commit/fc8807f74db5539036c5e58d3d68a11ea54098db"
},
{
"name": "https://github.com/streetwriters/notesnook/releases/tag/3.3.17-android",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/streetwriters/notesnook/releases/tag/3.3.17-android"
}
],
"source": {
"advisory": "GHSA-f27j-fqc6-v7pm",
"discovery": "UNKNOWN"
},
"title": "Notesnook: Stored XSS in mobile share editor via unescaped web clip title metadata"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33978",
"datePublished": "2026-04-01T16:11:56.610Z",
"dateReserved": "2026-03-24T22:20:06.210Z",
"dateUpdated": "2026-04-01T19:07:24.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31876 (GCVE-0-2026-31876)
Vulnerability from cvelistv5
Published
2026-03-11 18:17
Modified
2026-03-12 20:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an <iframe>. This vulnerability is fixed in 3.3.9.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| streetwriters | notesnook |
Version: < 3.3.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T20:08:06.045805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T20:08:12.048Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "notesnook",
"vendor": "streetwriters",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Notesnook is a note-taking app focused on user privacy \u0026 ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook\u0027s editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an \u003ciframe\u003e. This vulnerability is fixed in 3.3.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T18:17:08.142Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5"
},
{
"name": "https://github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7"
}
],
"source": {
"advisory": "GHSA-jprx-2w2h-4rh5",
"discovery": "UNKNOWN"
},
"title": "Notesnook has Stored XSS via unsanitized Twitter/X embed URL in editor (`tweetToEmbed`)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31876",
"datePublished": "2026-03-11T18:17:08.142Z",
"dateReserved": "2026-03-09T19:02:25.014Z",
"dateUpdated": "2026-03-12T20:08:12.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}