Cross-Site Scripting in Notesnook Note-Taking App
CVE-2026-33955

8.6HIGH

Key Information:

Vendor: Streetwriters
Status: Notesnook Web/desktop
Vendor: CVE Published:; 27 March 2026

🔔 Create Streetwriters Vulnerability Alert

What is CVE-2026-33955?

The Notesnook note-taking application experiences a cross-site scripting vulnerability that can lead to remote code execution. This issue arises when untrusted input is displayed via dangerouslySetInnerHTML, allowing an attacker to inject malicious note headers. This vulnerability is particularly critical in the desktop version due to Electron's configuration with nodeIntegration: true and contextIsolation: false, which together enable the execution of injected scripts. The vulnerability has been addressed in version 3.3.11.

Affected Version(s)

Notesnook Web/Desktop < 3.3.11

References

https://github.com/streetwriters/notesnook/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2026
Vulnerability Reserved
Mar 24, 2026

CVE-2026-33955 Data

JSON