CVE Catalog

CVE-2026-42090

Critical
Published: Translated: NVD NIST

Summary

Notesnook has a stored XSS vulnerability that can lead to remote code execution in the desktop app. The issue arises from exported note fields being inserted into the HTML template without proper escaping.

Risk Assessment

Exploitation of this vulnerability could allow an attacker to execute remote code on the user's device, posing a serious threat to data security and privacy.

Recommendation

It is recommended to upgrade to Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20, which contain fixes for this vulnerability.

Original NVD description (English source)

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS