Stored XSS Vulnerability in Notesnook Web/Desktop and Mobile Apps
CVE-2026-42090

9.6CRITICAL

Key Information:

Vendor

Streetwriters

Status
Notesnook
Vendor
CVE Published:
4 May 2026

What is CVE-2026-42090?

The Notesnook application, a privacy-focused note-taking service, is vulnerable to a stored XSS issue in its export functionality. Specifically, exported notes that contain title, headline, and content fields are directly integrated into an HTML template without proper HTML escaping. This allows malicious scripts to be executed when the note is exported to PDF format, rendering within a same-origin iframe that is not sandboxed. In the desktop version, the situation is exacerbated as Electron's configuration permits node integration and disables context isolation, posing a significant risk of remote code execution. The vulnerabilities have been resolved in the recent updates for both web/desktop and mobile applications.

Affected Version(s)

notesnook Notesnook Web/Desktop < 3.3.15 < Notesnook Web/Desktop 3.3.15

notesnook Notesnook iOS/Android < 3.3.20 < Notesnook iOS/Android 3.3.20

References

https://github.com/streetwriters/notesnook/security/advis...
x_refsource_CONFIRM
https://github.com/streetwriters/notesnook/releases/tag/3...
x_refsource_MISC
https://github.com/streetwriters/notesnook/releases/tag/v...
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.