CVE-2026-33976

CVE-2026-33976 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79 and CWE-94, in the Web Clipper rendering flow of Notesnook, an open-source note-taking application. It affects Web and Desktop versions prior to 3.3.11 and Android/iOS versions prior to 3.3.17. The issue stems from the Web Clipper preserving attacker-controlled attributes, such as event handlers like onload, onclick, or onmouseover, from the root element of a clipped webpage and storing them in the web-clip HTML. When the clip is later viewed, Notesnook renders this HTML inside a same-origin, unsandboxed iframe via contentDocument.write(), allowing the malicious attributes to execute JavaScript in the Notesnook origin. The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

An attacker can exploit this by controlling a malicious webpage that a victim clips using Notesnook's Web Clipper feature. No authentication or privileges are required (PR:N), but user interaction is needed for the victim to clip the page and subsequently open the stored clip (UI:R). In the Web or mobile apps, this results in arbitrary JavaScript execution within the Notesnook context. On the Electron-based Desktop app, where nodeIntegration is enabled and contextIsolation is disabled, the XSS escalates to full remote code execution (RCE), granting the attacker high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) on the victim's local system.

The official patch is available in Notesnook version 3.3.11 for Web and Desktop, and 3.3.17 for Android and iOS, which addresses the improper handling of preserved attributes in web clips. Additional details, including the full advisory and patch information, are provided in the GitHub Security Advisory at https://github.com/streetwriters/notesnook/security/advisories/GHSA-f42f-phvp-43x5. Security practitioners should urge users to update immediately and avoid clipping untrusted webpages.