Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using contentDocument.write(...). Event-handler attributes such as onload, onclick, or onmouseover execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.
{
"cna_assigner": "GitHub_M",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33976.json",
"cwe_ids": [
"CWE-79",
"CWE-94"
]
}{
"cpe": [
"cpe:2.3:a:streetwriters:notesnook_desktop:*:*:*:*:*:*:*:*",
"cpe:2.3:a:streetwriters:notesnook_mobile:*:*:*:*:*:android:*:*",
"cpe:2.3:a:streetwriters:notesnook_mobile:*:*:*:*:*:iphone_os:*:*"
],
"source": "CPE_RANGE",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.3.11"
},
{
"fixed": "3.3.17"
}
]
}