{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31876", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T19:02:25.014Z", "datePublished": "2026-03-11T18:17:08.142Z", "dateUpdated": "2026-03-12T20:08:12.048Z"}, "containers": {"cna": {"title": "Notesnook has Stored XSS via unsanitized Twitter/X embed URL in editor (`tweetToEmbed`)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5"}, {"name": "https://github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7", "tags": ["x_refsource_MISC"], "url": "https://github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7"}], "affected": [{"vendor": "streetwriters", "product": "notesnook", "versions": [{"version": "< 3.3.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:17:08.142Z"}, "descriptions": [{"lang": "en", "value": "Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an <iframe>. This vulnerability is fixed in 3.3.9."}], "source": {"advisory": "GHSA-jprx-2w2h-4rh5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T20:08:06.045805Z", "id": "CVE-2026-31876", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:08:12.048Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31876", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T20:08:06.045805Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:08:09.400Z"}}], "cna": {"title": "Notesnook has Stored XSS via unsanitized Twitter/X embed URL in editor (`tweetToEmbed`)", "source": {"advisory": "GHSA-jprx-2w2h-4rh5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "streetwriters", "product": "notesnook", "versions": [{"status": "affected", "version": "< 3.3.9"}]}], "references": [{"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5", "name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7", "name": "https://github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an <iframe>. This vulnerability is fixed in 3.3.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:17:08.142Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31876", "state": "PUBLISHED", "dateUpdated": "2026-03-12T20:08:12.048Z", "dateReserved": "2026-03-09T19:02:25.014Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T18:17:08.142Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:streetwriters:notesnook_desktop:*:*:*:*:*:*:*:*", "matchCriteriaId": "8756DA11-54F2-4580-80D6-B66BDD875599", "versionEndExcluding": "3.3.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:streetwriters:notesnook_mobile:*:*:*:*:*:android:*:*", "matchCriteriaId": "D6F019A8-553F-4070-8235-F57DC7A489F4", "versionEndExcluding": "3.3.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:streetwriters:notesnook_mobile:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "5EFF2675-83AD-4E81-9DDC-A1706C799A00", "versionEndExcluding": "3.3.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an <iframe>. This vulnerability is fixed in 3.3.9."}, {"lang": "es", "value": "Notesnook es una aplicaci\u00f3n para tomar notas centrada en la privacidad del usuario y la facilidad de uso. Previo a la 3.3.9, exist\u00eda una vulnerabilidad de cross-site scripting (XSS) almacenado en el componente de incrustaci\u00f3n del editor de Notesnook al renderizar URLs de incrustaci\u00f3n de Twitter/X. La funci\u00f3n tweetToEmbed() en component.tsx interpolaba la URL proporcionada por el usuario directamente en una cadena HTML sin escapar, la cual se asignaba luego al atributo srcdoc de un . Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 3.3.9."}], "id": "CVE-2026-31876", "lastModified": "2026-03-17T15:59:17.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T19:16:04.140", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "notesnook", "source": "cna", "vendor": "streetwriters"}, "product": "notesnook", "vendor": "streetwriters"}], "analysis": {"en": {"generated_at": "2026-03-17T17:52:47.792247+00:00", "value": {"mitigation_remediation": ["Upgrade Notesnook to version 3.3.9 or later", "Check the vendor\u2019s website or GitHub releases for additional security updates"], "summary": {"action": "Patch", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "All releases of the Notesnook desktop, Android, and iPhone OS applications issued before version 3.3.9 are affected. The Common Platform Enumeration strings confirm coverage of the desktop, Android, and iOS builds under the streetwriters:notesnook vendor. No specific sub\u2011versions are listed, so the assumption is that every build up to but not including 3.3.9 contains the flaw.", "description_and_impact": "Prior to version 3.3.9, Notesnook\u2019s editor allowed users to embed Twitter/X URLs directly into a note. The tweetToEmbed() function in component.tsx concatenated the supplied URL into an HTML string that was then assigned to the srcdoc attribute of an iframe. Because the URL was not sanitized, an attacker could inject malicious JavaScript into that string. When the note is later viewed, the embedded script runs in the victim\u2019s browser context, which can lead to session hijacking, credential theft, or other arbitrary code execution. This flaw is a classic stored Cross\u2011Site Scripting vulnerability classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low current probability of exploitation. The vulnerability is not present in the CISA KEV catalog. Exploitation requires an attacker to create or inject a malicious note including the crafted Twitter/X embed URL. When any user, including the note owner, opens that note, the injected code executes within the Notesnook application. The likely attack vector is inferred to be Local XSS within the application environment; this inference is drawn from the description of the stored nature of the flaw and the requirement that the user open the compromised note."}}}}, "created": "2026-03-12T09:57:22.749990+00:00", "updated": "2026-03-20T15:29:57.055330+00:00", "vendors": ["streetwriters", "streetwriters$PRODUCT$notesnook"]}