CVE-2026-33976 CRITICAL

CVE-2026-33976: Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering

Vendor Streetwriters

Product Notesnook Web/Desktop

Weakness CWE-79 · XSS

Published March 27, 2026

Last update April 3, 2026

View on NVD All CVEs

CVSS base score

9.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using `contentDocument.write(...)`. Event-handler attributes such as `onload`, `onclick`, or `onmouseover` execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.

Key dates

02Disclosure timeline

March 27, 2026 CVE published

April 3, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33976 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2026-33976

CWE CWE-79

CVSS 9.7 / CRITICAL

Affected versions

Vendor Streetwriters

Product Notesnook Web/Desktop

Affected < 3.3.11

Vendor Streetwriters

Product Notesnook iOS/Android

Affected < 3.3.17

CVE-2026-33976: Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering

01Description

02Disclosure timeline

03References

04Related CVE