Cyber Posture

CVE-2026-42090

Critical

Published: 04 May 2026

Published
04 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0016 36.2th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote…

more

code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match
prevent

Requires filtering and HTML escaping of note fields prior to insertion into export HTML templates, directly preventing stored XSS execution in the unsandboxed iframe.

CM-6 Configuration Settings good match
prevent

Enforces secure Electron configurations like nodeIntegration: false and contextIsolation: true to block XSS escalation to RCE in the desktop app.

SI-10 Information Input Validation good match
prevent

Validates and sanitizes user inputs in note title, headline, and content to prevent storage of malicious scripts exploitable during export.

Security SummaryAI

CVE-2026-42090 is a stored cross-site scripting (XSS) vulnerability in the note export flow of Notesnook, a privacy-focused note-taking application. It affects Notesnook Web and Desktop versions prior to 3.3.15, as well as Notesnook iOS and Android versions prior to 3.3.20. The issue stems from exported note fields, such as title, headline, and content, being inserted into a generated HTML template without proper HTML escaping. During PDF export, this HTML is rendered within a same-origin, unsandboxed iframe using the srcdoc attribute, allowing injected scripts to execute in the Notesnook origin.

The vulnerability requires network access and user interaction but no privileges (AV:N/AC:L/PR:N/UI:R). An attacker can exploit it by crafting a note with malicious JavaScript in the affected fields, which a victim then exports. Upon PDF export, the script executes in the application's context. In the Electron-based desktop app, this escalates to remote code execution (RCE) due to the configuration with nodeIntegration: true and contextIsolation: false, potentially granting full control over the system (CVSS 9.6: C:H/I:H/A:H). Associated CWEs include CWE-79 (XSS) and CWE-94 (code injection).

Notesnook has addressed the vulnerability in Web/Desktop version 3.3.15 and iOS/Android version 3.3.20, as detailed in their GitHub security advisory (GHSA-fjm8-jg78-89h4) and corresponding release notes. Users should update to these patched versions to mitigate the risk.

Details

CWE(s)
CWE-79CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Stored XSS in client-side export flow directly enables attacker-controlled JavaScript execution (T1059.007) within the application origin; Electron misconfiguration (nodeIntegration:true, contextIsolation:false) converts this into arbitrary code execution on the host (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References