CVE-2026-31876
- Source
- https://cve.org/CVERecord?id=CVE-2026-31876
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31876.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-31876
- Aliases
-
- GHSA-jprx-2w2h-4rh5
- Published
- 2026-03-11T18:17:08.142Z
- Modified
- 2026-04-10T05:42:57.450646Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Notesnook has Stored XSS via unsanitized Twitter/X embed URL in editor (`tweetToEmbed`)
- Details
-
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an <iframe>. This vulnerability is fixed in 3.3.9.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31876.json", "cwe_ids": [ "CWE-79" ], "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31876.json
- https://github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5
- https://nvd.nist.gov/vuln/detail/CVE-2026-31876
- https://github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7
Affected packages
Git / github.com/streetwriters/notesnook
Affected ranges
- Type
- GIT
- Repo
- https://github.com/streetwriters/notesnook
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
2.*
2.2.0-android
2.2.1-android
2.2.2-android
2.2.3-android
2.2.4-android
2.2.5-android
2.2.6-android
2.3.0-android
2.4.0-android
2.4.1-android
2.4.10-android
2.4.11-android
2.4.12-android
2.4.13-android
2.4.14-android
2.4.15-android
2.4.16-android
2.4.17-android
2.4.2-android
2.4.3-android
2.4.4-android
2.4.5-android
2.4.6-android
2.4.7-android
2.4.8-android
2.4.9-android
2.5.0-android
2.5.1-android
2.5.2-android
2.5.3-android
2.5.4-android
2.5.5-android
2.5.6-android
2.6.0-android
2.6.1-android
2.6.10-android
2.6.11-android
2.6.12-android
2.6.14-android
2.6.15-android
2.6.16-android
2.6.17-android
2.6.18-android
2.6.2-android
2.6.3-android
2.6.4-android
2.6.5-android
2.6.6-android
2.6.7-android
2.6.8-android
2.6.9-android
3.*
3.0.0-android
3.0.0-beta-android
3.0.1-android
3.0.1-beta-android
3.0.10-android
3.0.10-beta-android
3.0.11-android
3.0.12-android
3.0.12-beta-android
3.0.13-android
3.0.13-beta-android
3.0.14-beta-android
3.0.15-android
3.0.15-beta-android
3.0.16-android
3.0.16-beta-android
3.0.17-android
3.0.17-beta-android
3.0.18-android
3.0.2-android
3.0.2-beta-android
3.0.20-android
3.0.21-android
3.0.22-android
3.0.23-android
3.0.24-android
3.0.25-android
3.0.26-android
3.0.27-android
3.0.28-android
3.0.29-android
3.0.3-android
3.0.3-beta-android
3.0.30-android
3.0.31-android
3.0.32-android
3.0.4-android
3.0.4-beta-android
3.0.5-android
3.0.5-beta-android
3.0.6-android
3.0.6-beta-android
3.0.7-android
3.0.7-beta-android
3.0.8-android
3.0.8-beta-android
3.0.9-android
3.0.9-beta-android
3.1.0-android
3.1.0-beta.0-beta-android
3.1.0-beta.1-beta-android
3.1.0-beta.2-beta-android
3.1.0-beta.3-beta-android
3.1.1-android
3.2.0-android
3.2.0-beta.0-beta-android
3.2.0-beta.1-beta-android
3.2.0-beta.2-beta-android
3.2.0-beta.3-beta-android
3.2.0-beta.4-beta-android
3.2.1-android
3.2.10-android
3.2.11-android
3.2.12-android
3.2.2-android
3.2.3-android
3.2.4-android
3.2.5-android
3.2.7-android
3.2.8-android
3.2.9-android
3.3.0-android
3.3.1-android
3.3.10-beta.0-beta-android
3.3.10-beta.3-beta-android
3.3.10-beta.4-beta-android
3.3.10-beta.5-beta-android
3.3.10-beta.6-beta-android
3.3.13-beta.1-beta-android
3.3.14-android
3.3.2-android
3.3.3-android
3.3.4-android
3.3.5-android
3.3.9-android
v2.*
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.3.0
v2.4.0
v2.4.1
v2.4.10
v2.4.11
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.6.0
v2.6.1
v2.6.10
v2.6.11
v2.6.12
v2.6.13
v2.6.14
v2.6.15
v2.6.16
v2.6.17
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v3.*
v3.0.0
v3.0.0-beta
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.2
v3.0.20
v3.0.21
v3.0.22
v3.0.23
v3.0.24
v3.0.25
v3.0.26
v3.0.27
v3.0.28
v3.0.29
v3.0.3
v3.0.30
v3.0.31
v3.0.32
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.0.9-beta
v3.1.0
v3.1.0-beta.2
v3.1.0-beta.3
v3.1.1
v3.2.0
v3.2.2
v3.2.3
v3.2.4
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7