CVE-2026-42090

CRITICAL EPSS 37.7%
Published May 4, 20261mo ago · Modified Jun 17, 20262w ago
9.6 CVSS 3.1
Critical
Find Similar
Published May 4, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.

CVSS Details

Base Score
9.6
Exploitability
2.8
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
37.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-79 Cross-site Scripting Injection
CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 3

VendorProductVersionRange
streetwritersnotesnook_desktop* <3.3.15
streetwritersnotesnook_mobile* <3.3.20
streetwritersnotesnook_mobile* <3.3.20

References 3

  • github.com https://github.com/streetwriters/notesnook/releases/tag/3.3.20-android
    Release Notes
  • github.com https://github.com/streetwriters/notesnook/releases/tag/v3.3.15
    Release Notes
  • github.com https://github.com/streetwriters/notesnook/security/advisories/GHSA-fjm8-jg78-89h4
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.