Unrated severityNVD Advisory· Published Mar 11, 2026· Updated Mar 12, 2026
Notesnook has Stored XSS via unsanitized Twitter/X embed URL in editor (`tweetToEmbed`)
CVE-2026-31876
Description
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an . This vulnerability is fixed in 3.3.9.
Affected products
2<3.3.9+ 1 more
- (no CPE)range: <3.3.9
- (no CPE)range: < 3.3.9
Patches
Vulnerability mechanics
References
2- github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7mitrex_refsource_MISC
- github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.