CVE-2026-33955

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33955

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33955.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33955

Aliases

GHSA-45g3-cv93-q59v

Published

2026-03-27T21:27:31.554Z

Modified

2026-04-10T05:42:59.115351Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Notesnook vulnerable to RCE via stored XSS in Note History diff viewer

Details

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using dangerouslySetInnerHTML without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. Version 3.3.11 patches the issue.

Database specific

{
    "cwe_ids": [
        "CWE-79",
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33955.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/streetwriters/notesnook

Affected ranges

Type

GIT

Repo

https://github.com/streetwriters/notesnook

Events

Introduced

Fixed

00a20dda48e63d04fec7724b8707c3a6b913f673

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3.11"
        }
    ]
}

Affected versions

2.*

2.2.0-android

2.2.1-android

2.2.2-android

2.2.3-android

2.2.4-android

2.2.5-android

2.2.6-android

2.3.0-android

2.4.0-android

2.4.1-android

2.4.10-android

2.4.11-android

2.4.12-android

2.4.13-android

2.4.14-android

2.4.15-android

2.4.16-android

2.4.17-android

2.4.2-android

2.4.3-android

2.4.4-android

2.4.5-android

2.4.6-android

2.4.7-android

2.4.8-android

2.4.9-android

2.5.0-android

2.5.1-android

2.5.2-android

2.5.3-android

2.5.4-android

2.5.5-android

2.5.6-android

2.6.0-android

2.6.1-android

2.6.10-android

2.6.11-android

2.6.12-android

2.6.14-android

2.6.15-android

2.6.16-android

2.6.17-android

2.6.18-android

2.6.2-android

2.6.3-android

2.6.4-android

2.6.5-android

2.6.6-android

2.6.7-android

2.6.8-android

2.6.9-android

3.*

3.0.0-android

3.0.0-beta-android

3.0.1-android

3.0.1-beta-android

3.0.10-android

3.0.10-beta-android

3.0.11-android

3.0.12-android

3.0.12-beta-android

3.0.13-android

3.0.13-beta-android

3.0.14-beta-android

3.0.15-android

3.0.15-beta-android

3.0.16-android

3.0.16-beta-android

3.0.17-android

3.0.17-beta-android

3.0.18-android

3.0.2-android

3.0.2-beta-android

3.0.20-android

3.0.21-android

3.0.22-android

3.0.23-android

3.0.24-android

3.0.25-android

3.0.26-android

3.0.27-android

3.0.28-android

3.0.29-android

3.0.3-android

3.0.3-beta-android

3.0.30-android

3.0.31-android

3.0.32-android

3.0.4-android

3.0.4-beta-android

3.0.5-android

3.0.5-beta-android

3.0.6-android

3.0.6-beta-android

3.0.7-android

3.0.7-beta-android

3.0.8-android

3.0.8-beta-android

3.0.9-android

3.0.9-beta-android

3.1.0-android

3.1.0-beta.0-beta-android

3.1.0-beta.1-beta-android

3.1.0-beta.2-beta-android

3.1.0-beta.3-beta-android

3.1.1-android

3.2.0-android

3.2.0-beta.0-beta-android

3.2.0-beta.1-beta-android

3.2.0-beta.2-beta-android

3.2.0-beta.3-beta-android

3.2.0-beta.4-beta-android

3.2.1-android

3.2.10-android

3.2.11-android

3.2.12-android

3.2.2-android

3.2.3-android

3.2.4-android

3.2.5-android

3.2.7-android

3.2.8-android

3.2.9-android

3.3.0-android

3.3.1-android

3.3.10-beta.0-beta-android

3.3.10-beta.3-beta-android

3.3.10-beta.4-beta-android

3.3.10-beta.5-beta-android

3.3.10-beta.6-beta-android

3.3.13-beta.1-beta-android

3.3.14-android

3.3.15-android

3.3.16-android

3.3.2-android

3.3.3-android

3.3.4-android

3.3.5-android

3.3.9-android

v2.*

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.3.0

v2.4.0

v2.4.1

v2.4.10

v2.4.11

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.6.0

v2.6.1

v2.6.10

v2.6.11

v2.6.12

v2.6.13

v2.6.14

v2.6.15

v2.6.16

v2.6.17

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v3.*

v3.0.0

v3.0.0-beta

v3.0.1

v3.0.10

v3.0.11

v3.0.12

v3.0.13

v3.0.14

v3.0.15

v3.0.16

v3.0.17

v3.0.18

v3.0.2

v3.0.20

v3.0.21

v3.0.22

v3.0.23

v3.0.24

v3.0.25

v3.0.26

v3.0.27

v3.0.28

v3.0.29

v3.0.3

v3.0.30

v3.0.31

v3.0.32

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.0.9-beta

v3.1.0

v3.1.0-beta.2

v3.1.0-beta.3

v3.1.1

v3.2.0

v3.2.2

v3.2.3

v3.2.4

v3.3.1

v3.3.10

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33955.json"