CVE-2026-33976

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33976

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33976.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33976

Aliases

GHSA-f42f-phvp-43x5

Published

2026-03-27T21:26:10.127Z

Modified

2026-04-10T05:42:59.153243Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering

Details

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using contentDocument.write(...). Event-handler attributes such as onload, onclick, or onmouseover execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79",
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33976.json"
}

References

Affected packages

Git / github.com/streetwriters/notesnook

Affected ranges

Type

GIT

Repo

https://github.com/streetwriters/notesnook

Events

Introduced

Fixed

00a20dda48e63d04fec7724b8707c3a6b913f673

Fixed

0af831d50b4de3a9766cf8d5ab33238ade61bf27

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3.11"
        },
        {
            "fixed": "3.3.17"
        }
    ]
}

Affected versions

2.*

2.2.0-android

2.2.1-android

2.2.2-android

2.2.3-android

2.2.4-android

2.2.5-android

2.2.6-android

2.3.0-android

2.4.0-android

2.4.1-android

2.4.10-android

2.4.11-android

2.4.12-android

2.4.13-android

2.4.14-android

2.4.15-android

2.4.16-android

2.4.17-android

2.4.2-android

2.4.3-android

2.4.4-android

2.4.5-android

2.4.6-android

2.4.7-android

2.4.8-android

2.4.9-android

2.5.0-android

2.5.1-android

2.5.2-android

2.5.3-android

2.5.4-android

2.5.5-android

2.5.6-android

2.6.0-android

2.6.1-android

2.6.10-android

2.6.11-android

2.6.12-android

2.6.14-android

2.6.15-android

2.6.16-android

2.6.17-android

2.6.18-android

2.6.2-android

2.6.3-android

2.6.4-android

2.6.5-android

2.6.6-android

2.6.7-android

2.6.8-android

2.6.9-android

3.*

3.0.0-android

3.0.0-beta-android

3.0.1-android

3.0.1-beta-android

3.0.10-android

3.0.10-beta-android

3.0.11-android

3.0.12-android

3.0.12-beta-android

3.0.13-android

3.0.13-beta-android

3.0.14-beta-android

3.0.15-android

3.0.15-beta-android

3.0.16-android

3.0.16-beta-android

3.0.17-android

3.0.17-beta-android

3.0.18-android

3.0.2-android

3.0.2-beta-android

3.0.20-android

3.0.21-android

3.0.22-android

3.0.23-android

3.0.24-android

3.0.25-android

3.0.26-android

3.0.27-android

3.0.28-android

3.0.29-android

3.0.3-android

3.0.3-beta-android

3.0.30-android

3.0.31-android

3.0.32-android

3.0.4-android

3.0.4-beta-android

3.0.5-android

3.0.5-beta-android

3.0.6-android

3.0.6-beta-android

3.0.7-android

3.0.7-beta-android

3.0.8-android

3.0.8-beta-android

3.0.9-android

3.0.9-beta-android

3.1.0-android

3.1.0-beta.0-beta-android

3.1.0-beta.1-beta-android

3.1.0-beta.2-beta-android

3.1.0-beta.3-beta-android

3.1.1-android

3.2.0-android

3.2.0-beta.0-beta-android

3.2.0-beta.1-beta-android

3.2.0-beta.2-beta-android

3.2.0-beta.3-beta-android

3.2.0-beta.4-beta-android

3.2.1-android

3.2.10-android

3.2.11-android

3.2.12-android

3.2.2-android

3.2.3-android

3.2.4-android

3.2.5-android

3.2.7-android

3.2.8-android

3.2.9-android

3.3.0-android

3.3.1-android

3.3.10-beta.0-beta-android

3.3.10-beta.3-beta-android

3.3.10-beta.4-beta-android

3.3.10-beta.5-beta-android

3.3.10-beta.6-beta-android

3.3.13-beta.1-beta-android

3.3.14-android

3.3.15-android

3.3.16-android

3.3.2-android

3.3.3-android

3.3.4-android

3.3.5-android

3.3.9-android

v2.*

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.3.0

v2.4.0

v2.4.1

v2.4.10

v2.4.11

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.6.0

v2.6.1

v2.6.10

v2.6.11

v2.6.12

v2.6.13

v2.6.14

v2.6.15

v2.6.16

v2.6.17

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v3.*

v3.0.0

v3.0.0-beta

v3.0.1

v3.0.10

v3.0.11

v3.0.12

v3.0.13

v3.0.14

v3.0.15

v3.0.16

v3.0.17

v3.0.18

v3.0.2

v3.0.20

v3.0.21

v3.0.22

v3.0.23

v3.0.24

v3.0.25

v3.0.26

v3.0.27

v3.0.28

v3.0.29

v3.0.3

v3.0.30

v3.0.31

v3.0.32

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.0.9-beta

v3.1.0

v3.1.0-beta.2

v3.1.0-beta.3

v3.1.1

v3.2.0

v3.2.2

v3.2.3

v3.2.4

v3.3.1

v3.3.10

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33976.json"