Platform
javascript
Component
notesnook
Fixed in
3.3.12
CVE-2026-33955 is a cross-site scripting (XSS) vulnerability discovered in Notesnook Web/Desktop. This vulnerability, when combined with the backup and restore feature, can escalate to remote code execution. It affects versions of Notesnook Web/Desktop prior to 3.3.11. A patch is available in version 3.3.11.
The vulnerability lies in the note history comparison viewer, where attacker-controlled headers are displayed using dangerouslySetInnerHTML without proper sanitization. This allows an attacker to inject malicious JavaScript code. Crucially, the Notesnook desktop application utilizes Electron with nodeIntegration: true and contextIsolation: false, enabling the injected JavaScript to execute within the application's Node.js environment. By crafting a malicious note and leveraging the backup and restore functionality, an attacker can achieve remote code execution on a victim's machine. This represents a significant security risk, potentially allowing attackers to steal sensitive data, install malware, or gain complete control of the affected system.
This vulnerability was publicly disclosed on 2026-03-27. While no public proof-of-concept (PoC) code has been released, the combination of XSS and remote code execution potential makes it a high-priority concern. The use of nodeIntegration: true in Electron is a known security risk, and this CVE highlights the potential consequences of misconfiguration. It is not currently listed on CISA KEV, but its severity warrants monitoring.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Notesnook Web/Desktop to version 3.3.11 or later, which contains the fix for this vulnerability. If immediate upgrading is not possible, consider disabling the backup and restore feature as a temporary workaround. Review all note history comparisons for suspicious content. Implement a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the note history comparison endpoint. Monitor Notesnook logs for unusual activity, particularly related to note creation and modification. After upgrade, confirm the fix by attempting to inject a simple XSS payload into a note and verifying that it is not executed.
Actualice Notesnook Web/Desktop a la versión 3.3.11 o superior. Esta versión corrige la vulnerabilidad de cross-site scripting almacenado que podría permitir la ejecución remota de código.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33955 is a cross-site scripting vulnerability in Notesnook Web/Desktop versions before 3.3.11. It allows attackers to inject malicious scripts, potentially leading to remote code execution.
Yes, if you are using Notesnook Web/Desktop version 3.3.11 or earlier, you are potentially affected by this vulnerability.
Upgrade to Notesnook Web/Desktop version 3.3.11 or later to resolve the vulnerability. As a temporary workaround, disable the backup and restore feature.
While no active exploitation has been confirmed, the vulnerability's potential for remote code execution makes it a high-priority concern and warrants immediate attention.
Please refer to the official Notesnook security advisory for detailed information and updates regarding CVE-2026-33955.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.