CVE-2026-33976

🔴 Łataj teraz

XSS w Notesnook pozwala na zdalne wykonanie kodu w aplikacji desktopowej.

CVSS

9.6

EPSS

0.1%

Exploit

poc

Vendor

streetwriters

Opis źródłowy (NVD)

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using `contentDocument.write(...)`. Event-handler attributes such as `onload`, `onclick`, or `onmouseover` execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.

exploit rce xss Brak patcha

Źródła i daty

Źródło	Wartość
NVD – CVSS	9.6
CISA KEV (aktywnie wykorzystywane)	Nie
FIRST EPSS (prawdopodobieństwo exploita)	0.1%
Opublikowano (NVD)	2026-03-27 22:16:22 UTC
Ostatnia modyfikacja (NVD)	2026-03-31 18:21:36 UTC

Referencje

https://github.com/streetwriters/notesnook/security/advisories/GHSA-f42f-phvp-43x5 (security-advisories@github.com) [Exploit, Vendor Advisory]