{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33955", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.106Z", "datePublished": "2026-03-27T21:27:31.554Z", "dateUpdated": "2026-04-03T13:02:56.898Z"}, "containers": {"cna": {"title": "Notesnook vulnerable to RCE via stored XSS in Note History diff viewer", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v"}], "affected": [{"vendor": "streetwriters", "product": "Notesnook Web/Desktop", "versions": [{"version": "< 3.3.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:27:31.554Z"}, "descriptions": [{"lang": "en", "value": "Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue."}], "source": {"advisory": "GHSA-45g3-cv93-q59v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T03:55:21.973411Z", "id": "CVE-2026-33955", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:02:56.898Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33955", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T03:55:21.973411Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:40:06.902Z"}}], "cna": {"title": "Notesnook vulnerable to RCE via stored XSS in Note History diff viewer", "source": {"advisory": "GHSA-45g3-cv93-q59v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "streetwriters", "product": "Notesnook Web/Desktop", "versions": [{"status": "affected", "version": "< 3.3.11"}]}], "references": [{"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v", "name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:27:31.554Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33955", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:02:56.898Z", "dateReserved": "2026-03-24T19:50:52.106Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T21:27:31.554Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:streetwriters:notesnook_desktop:*:*:*:*:*:*:*:*", "matchCriteriaId": "08C11EDB-67C1-4E85-A07D-0164CB036757", "versionEndExcluding": "3.3.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue."}], "id": "CVE-2026-33955", "lastModified": "2026-04-02T14:16:30.127", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T22:16:22.083", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-45g3-cv93-q59v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Notesnook Web/Desktop", "source": "cna", "vendor": "streetwriters"}, "product": "notesnook_web/desktop", "vendor": "streetwriters"}], "analysis": {"en": {"generated_at": "2026-03-31T19:40:36.357231+00:00", "value": {"mitigation_remediation": ["Install version 3.3.11 or newer of the Notesnook web and desktop applications.", "If an upgrade is not immediately possible, remove or disable the full backup and restore feature in the desktop client to break the execution chain.", "If using a browser\u2011based interface, restrict note share permissions to trusted users and audit for unexpected note header content."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All users of the Notesnook web and desktop client with versions earlier than 3.3.11 are impacted. This includes the streetwriters:Notesnook Web/Desktop product line. Upgrading to 3.3.11 or later removes the flaw.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw in the note history comparison viewer of the Notesnook web and desktop apps. Attackers can insert malicious HTML in a note header, which is rendered with dangerouslySetInnerHTML without sanitization. When the desktop application subsequently uses the full backup and restore feature, the embedded script runs inside Electron because node integration is enabled and context isolation is disabled, allowing the attacker to execute arbitrary code on the victim's machine.", "risk_and_exploitability": "The CVSS score is 8.6, indicating a high severity. EPSS is below 1%, suggesting a low probability of widespread exploitation at present. The issue is not listed in CISA\u2019s KEV catalog. The likely attack path involves an adversary crafting a malicious note or note history entry that a legitimate user opens; the script then executes in the desktop context. Because the vulnerability requires the desktop Electron environment, but the initial trigger occurs through the web interface, the attack can be performed against an attacker\u2019s own machine or via a compromised colleague\u2019s session. The combination of a stored XSS and insecure Electron settings turns the flaw into a remote code execution vector."}}}}, "created": "2026-03-29T20:29:36.190224+00:00", "updated": "2026-03-31T20:00:36.137155+00:00", "vendors": ["streetwriters", "streetwriters$PRODUCT$notesnook_web/desktop"]}