High severity8.6NVD Advisory· Published Mar 27, 2026· Updated Apr 2, 2026

CVE-2026-33955

Description

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using dangerouslySetInnerHTML without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. Version 3.3.11 patches the issue.

Affected products

Streetwriters/Notesnook Desktop
cpe:2.3:a:streetwriters:notesnook_desktop:*:*:*:*:*:*:*:*
Range: <3.3.11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59vnvdExploitVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.559
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000