CVE-2026-33955 HIGH

CVE-2026-33955: Notesnook vulnerable to RCE via stored XSS in Note History diff viewer

Vendor Streetwriters
Product Notesnook Web/Desktop
Weakness CWE-79 · XSS
Published March 27, 2026
Last update April 3, 2026

CVSS base score

8.6/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
April 3, 2026 Record updated