High severity8.6NVD Advisory· Published Mar 27, 2026· Updated Apr 2, 2026
CVE-2026-33955
CVE-2026-33955
Description
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using dangerouslySetInnerHTML without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. Version 3.3.11 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- cpe:2.3:a:streetwriters:notesnook_desktop:*:*:*:*:*:*:*:*Range: <3.3.11
- Range: <3.3.11
Patches
Vulnerability mechanics
References
1- github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59vnvdExploitVendor Advisory
News mentions
0No linked articles in our index yet.