Stored XSS Vulnerability in Notesnook Note-Taking App by Streetwriters

CVE-2026-33976

What is CVE-2026-33976?

CVE-2026-33976 is a stored cross-site scripting (XSS) vulnerability found in the Notesnook note-taking application developed by Streetwriters. Notesnook serves as a platform for users to create, manage, and store notes securely. The vulnerability exists in versions prior to 3.3.11 for Web/Desktop and 3.3.17 for Android/iOS.

The flaw allows an attacker to embed malicious scripts within the notes due to the application's web clipper rendering process, which improperly handles attributes from the source HTML. When a user accesses these compromised notes, the stored scripts can execute in the context of the Notesnook application. This can lead to remote code execution (RCE) especially in the desktop version, as it is built on Electron with settings that do not isolate contexts securely.

Organizations that use Notesnook are at risk of significant security breaches due to this vulnerability, as exploited instances could result in unauthorized access to sensitive data, user sessions being hijacked, or even full system compromise if the RCE is successfully executed.

Potential Impact of CVE-2026-33976

1. Remote Code Execution: Exploitation of this vulnerability can enable an attacker to execute arbitrary code within the Notesnook application environment, potentially giving them control over the affected system.

2. Data Breach Risk: The execution of malicious scripts could facilitate unauthorized access to stored notes and other sensitive information within the application, resulting in data leakage or compromise.

3. User Session Hijacking: Attackers could potentially manipulate the context in which users interact with the application, allowing them to impersonate users or perform actions on their behalf, further escalating the impact on organizational security.

References