Platform
javascript
Component
notesnook
Opgelost in
3.3.12
CVE-2026-33955 is a cross-site scripting (XSS) vulnerability discovered in Notesnook Web/Desktop. This vulnerability, when combined with the backup and restore feature, can escalate to remote code execution. It affects versions of Notesnook Web/Desktop prior to 3.3.11. A patch is available in version 3.3.11.
The vulnerability lies in the note history comparison viewer, where attacker-controlled headers are displayed using dangerouslySetInnerHTML without proper sanitization. This allows an attacker to inject malicious JavaScript code. Crucially, the Notesnook desktop application utilizes Electron with nodeIntegration: true and contextIsolation: false, enabling the injected JavaScript to execute within the application's Node.js environment. By crafting a malicious note and leveraging the backup and restore functionality, an attacker can achieve remote code execution on a victim's machine. This represents a significant security risk, potentially allowing attackers to steal sensitive data, install malware, or gain complete control of the affected system.
This vulnerability was publicly disclosed on 2026-03-27. While no public proof-of-concept (PoC) code has been released, the combination of XSS and remote code execution potential makes it a high-priority concern. The use of nodeIntegration: true in Electron is a known security risk, and this CVE highlights the potential consequences of misconfiguration. It is not currently listed on CISA KEV, but its severity warrants monitoring.
Users of Notesnook Web/Desktop who are using versions prior to 3.3.11 are at risk. This includes individuals and organizations relying on Notesnook for note-taking and collaboration, particularly those who utilize the backup and restore feature. Shared hosting environments where Notesnook is installed could be particularly vulnerable, as a compromised note could affect multiple users.
• javascript / desktop:
// Check for suspicious note content in the history comparison viewer
// Look for <script> tags or event handlers• generic web:
curl -I https://your-notesnook-instance/note/history | grep -i 'X-XSS-Protection'• generic web:
# Check access logs for requests containing suspicious characters in note parameters
grep -i '<script' /var/log/apache2/access.logdisclosure
Exploit Status
EPSS
0.05% (16% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade Notesnook Web/Desktop to version 3.3.11 or later, which contains the fix for this vulnerability. If immediate upgrading is not possible, consider disabling the backup and restore feature as a temporary workaround. Review all note history comparisons for suspicious content. Implement a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the note history comparison endpoint. Monitor Notesnook logs for unusual activity, particularly related to note creation and modification. After upgrade, confirm the fix by attempting to inject a simple XSS payload into a note and verifying that it is not executed.
Actualice Notesnook Web/Desktop a la versión 3.3.11 o superior. Esta versión corrige la vulnerabilidad de cross-site scripting almacenado que podría permitir la ejecución remota de código.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-33955 is a cross-site scripting vulnerability in Notesnook Web/Desktop versions before 3.3.11. It allows attackers to inject malicious scripts, potentially leading to remote code execution.
Yes, if you are using Notesnook Web/Desktop version 3.3.11 or earlier, you are potentially affected by this vulnerability.
Upgrade to Notesnook Web/Desktop version 3.3.11 or later to resolve the vulnerability. As a temporary workaround, disable the backup and restore feature.
While no active exploitation has been confirmed, the vulnerability's potential for remote code execution makes it a high-priority concern and warrants immediate attention.
Please refer to the official Notesnook security advisory for detailed information and updates regarding CVE-2026-33955.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.