{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33955", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.106Z", "datePublished": "2026-03-27T21:27:31.554Z", "dateUpdated": "2026-03-30T18:40:19.433Z"}, "containers": {"cna": {"title": "Notesnook vulnerable to RCE via stored XSS in Note History diff viewer", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v"}], "affected": [{"vendor": "streetwriters", "product": "Notesnook Web/Desktop", "versions": [{"version": "< 3.3.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:27:31.554Z"}, "descriptions": [{"lang": "en", "value": "Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue."}], "source": {"advisory": "GHSA-45g3-cv93-q59v", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:40:12.801154Z", "id": "CVE-2026-33955", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:40:19.433Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33955", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-30T18:40:12.801154Z"}}}], "references": [{"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:40:06.902Z"}}], "cna": {"title": "Notesnook vulnerable to RCE via stored XSS in Note History diff viewer", "source": {"advisory": "GHSA-45g3-cv93-q59v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "streetwriters", "product": "Notesnook Web/Desktop", "versions": [{"status": "affected", "version": "< 3.3.11"}]}], "references": [{"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v", "name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:27:31.554Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33955", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:40:19.433Z", "dateReserved": "2026-03-24T19:50:52.106Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T21:27:31.554Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue."}], "id": "CVE-2026-33955", "lastModified": "2026-03-30T19:16:26.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T22:16:22.083", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Notesnook Web/Desktop", "source": "cna", "vendor": "streetwriters"}, "product": "notesnook_web/desktop", "vendor": "streetwriters"}], "analysis": {"en": {"generated_at": "2026-03-28T06:11:45.228009+00:00", "value": {"mitigation_remediation": ["Update Notesnook to version\u202f3.3.11 or later on both Web and Desktop.", "Verify that no older versions remain in use.", "If upgrading is not immediately possible, disable the backup and restore feature in the desktop application to block the exploitation path.", "Remove any note headers that contain potentially malicious payloads.", "Monitor for suspicious note header changes and review backup logs for anomalous activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects both the Notesnook Web and Desktop editions supplied by streetwriters, with all releases prior to version\u202f3.3.11 vulnerable. Users running older versions should verify their installed version and plan an upgrade.", "description_and_impact": "Notesnook, a note\u2011taking application, contains a stored cross\u2011site scripting flaw in its note history comparison viewer that can be leveraged for remote code execution. The vulnerability arises when an attacker injects malicious code into a note header that is rendered by the application\u2019s web interface using React\u2019s dangerouslySetInnerHTML without proper sanitization. In the desktop version, the injected script can gain local execution because Electron is configured with nodeIntegration enabled and contextIsolation disabled, turning the XSS into an execution path for arbitrary code. This flaw is classified as CWE\u201179 (Cross\u2011Site Scripting) and CWE\u201194 (Improper Control of Generation of Code), and its exploitation can compromise confidentiality, integrity, and availability of the victim\u2019s data and processes.", "risk_and_exploitability": "The CVSS score of 8.6 indicates a high severity. EPSS data is not provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited confirmed exploitation as of the available data. The likely attack vector involves an attacker creating a note with a malicious header via the web interface, then persuading the victim to use the desktop application\u2019s full backup and restore feature. Based on the description, this scenario is inferred as the path that converts the stored XSS into remote code execution. The risk remains high if the application is left unpatched, especially for users who enable backup and restore functions."}}}}, "created": "2026-03-29T20:29:36.190224+00:00", "updated": "2026-03-30T07:00:01.799129+00:00", "vendors": ["streetwriters", "streetwriters$PRODUCT$notesnook_web/desktop"]}