VYPR
High severity8.6NVD Advisory· Published Mar 27, 2026· Updated Apr 2, 2026

CVE-2026-33955

CVE-2026-33955

Description

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using dangerouslySetInnerHTML without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. Version 3.3.11 patches the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.