Notesnook XSS 漏洞 (CVE-2026-33976) 影响 Web/桌面版

Notesnook Web/Desktop 中的 CVE-2026-33976 存在于一个关键风险中，因为存在远程代码执行 (RCE) 的可能性。此存储型 XSS 漏洞通过 Web Clipper 渲染流程被利用。攻击者可以将恶意代码注入到网页中，然后将其作为剪辑保存在 Notesnook 中。当在桌面应用程序中打开此剪辑时，Notesnook 会在未沙盒化的 iframe 中进行渲染。这使得攻击者能够在桌面应用程序的上下文中执行任意代码，从而可能损害用户的系统安全。CVSS 严重程度评级 9.7 反映了高概率的利用可能性以及可能产生的重大影响。

Users of Notesnook, particularly those who rely on the Web Clipper feature to capture content from websites, are at significant risk. This includes individuals and organizations using Notesnook for research, note-taking, and content management. Shared hosting environments where multiple users share a Notesnook installation are also at increased risk, as a compromised user account could potentially impact other users on the same server.

• windows / desktop: Monitor Notesnook process for unusual network activity or unexpected process creation. Use Sysinternals tools like Process Monitor to observe file system and registry modifications.

Get-Process Notesnook | Select-Object -ExpandProperty Path

• linux / server: (Notesnook desktop app may run on Linux via Wine) Monitor Notesnook process for unusual network activity. Examine system logs for suspicious entries related to Notesnook.

ps aux | grep Notesnook

• generic web: Monitor web server access logs for requests containing suspicious HTML attributes or JavaScript code within the Web Clipper URL.

grep -i 'onload|onclick|onmouseover' /var/log/apache2/access.log

1. 2026-03-27Disclosure

   disclosure

1. 已保留2026-03-24
2. 发布日期2026-03-27
3. 修改日期2026-04-03
4. EPSS 更新日期2026-04-04

为了减轻此风险，强烈建议将 Notesnook 更新到 Web/Desktop 的 3.3.11 版本和 Android/iOS 的 3.3.17 版本。这些更新通过实施安全措施来防止 Web Clipper 渲染过程中恶意代码的注入和执行，从而修复了漏洞。在应用更新时，建议避免打开可疑的 Web 剪辑或来自不可信来源的剪辑。监控 Notesnook 应用程序中的异常活动也有助于检测潜在的利用尝试。