Platform
other
Component
notesnook
Fixed in
3.3.12
3.3.18
CVE-2026-33976 describes a critical stored Cross-Site Scripting (XSS) vulnerability discovered in Notesnook, a note-taking application. This vulnerability can be escalated to Remote Code Execution (RCE) within the desktop application, posing a significant security risk. The vulnerability affects versions of Notesnook up to and including 3.3.17 on Web/Desktop and 3.3.17 on Android/iOS, and a fix is available in version 3.3.11.
The vulnerability lies in how Notesnook handles data from the Web Clipper. When clipping content from a webpage, the application preserves attacker-controlled attributes from the source page’s root element and stores them within the web-clip HTML. Subsequently, when the clip is opened, Notesnook renders this HTML within an unsandboxed iframe using contentDocument.write(...). This allows event-handler attributes like onload, onclick, or onmouseover to execute in the Notesnook origin, effectively granting an attacker the ability to execute arbitrary code on the user's machine. The potential impact is severe, ranging from data theft and account compromise to complete system takeover, particularly if the desktop application is running with elevated privileges.
CVE-2026-33976 was publicly disclosed on 2026-03-27. Currently, there are no known public proof-of-concept exploits available. The CVSS score of 9.7 (CRITICAL) indicates a high probability of exploitation if the vulnerability is discovered and exploited. It is not currently listed on the CISA KEV catalog. Active campaigns targeting this vulnerability are not yet confirmed, but the severity warrants proactive monitoring and patching.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33976 is to immediately upgrade Notesnook to version 3.3.11 or later. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider temporarily disabling the Web Clipper feature to prevent new clips from being created. While not a complete solution, this can reduce the attack surface. There are no specific WAF or proxy rules that can directly address this XSS vulnerability, as it originates from within the application's rendering process. After upgrading, confirm the fix by attempting to clip a webpage containing malicious attributes and verifying that the application does not execute any unintended code.
Update Notesnook to version 3.3.11 or higher on Web/Desktop and to version 3.3.17 or higher on Android/iOS. This corrects the stored XSS vulnerability that can lead to remote code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33976 is a critical stored XSS vulnerability in Notesnook that can be exploited to achieve remote code execution in the desktop application. It affects versions up to 3.3.17.
If you are using Notesnook version 3.3.17 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade immediately.
Upgrade Notesnook to version 3.3.11 or later to mitigate this vulnerability. If upgrading is not possible, temporarily disable the Web Clipper feature.
While no active exploitation campaigns have been confirmed, the high CVSS score indicates a high probability of exploitation if the vulnerability is discovered.
Refer to the official Notesnook security advisory for detailed information and updates regarding CVE-2026-33976.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.