CVE-2026-33955

Notesnook vulnerable to RCE via stored XSS in Note History diff viewer

Assigner: GitHub_M
Reserved: 24.03.2026 Published: 27.03.2026 Updated: 27.03.2026

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using dangerouslySetInnerHTML without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. Version 3.3.11 patches the issue.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS Score: 8.6

Attack Vector	Local	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	streetwriters
Product	Notesnook Web/Desktop
Versions	Version < 3.3.11 is affected

Vendor

streetwriters

Product

Notesnook Web/Desktop

Versions

Version < 3.3.11 is affected

References

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE
CWE-94: Improper Control of Generation of Code ('Code Injection') CWE

CVE-2026-33955 PUBLISHED

Notesnook vulnerable to RCE via stored XSS in Note History diff viewer

Metrics

Product Status

References

Problem Types