CVE-2026-33976
CRIT 9.6Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using `contentDocument.write(...)`. Event-handler attributes such as `onload`, `onclick`, or `onmouseover` execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.
Affected Applications in Environment
14
Desktop
v4.67.0 (4.67.0.5)
2 devices
Desktop
v4.41.2 (4.41.2.20)
2 devices
Desktop
v4.62.0 (4.62.0.11)
2 devices
Desktop
v4.63.0 (4.63.0.11)
3 devices
Desktop
v4.66.0 (4.66.0.6)
4 devices
Desktop
v3.1.0
1 device
Desktop
v4.64.0 (4.64.0.4)
3 devices
Desktop
v4.53.0 (4.52.0.4)
1 device
Desktop
v4.65.0 (4.65.0.4)
4 devices
Desktop
v4.50.0 (4.50.0.5)
1 device
Desktop
v4.66.1 (4.66.1.8)
3 devices
Desktop
v4.61.0 (4.61.0.14)
1 device
Desktop
v2.0.0.3
1 device
Desktop
v4.49.0 (4.49.0.17)
1 device
Affected Devices
18
DESKTOP-QO5C653
Windows
DPEBIE-5171H8C
Windows
Dallins-MacBook-Pro-2.local
Mac
F-16
Mac
RobertsMacbookPro.local
Mac
Zhiyuns-MacBook-Pro.local
Mac
a00288946-F6VM65M2H3
Mac
a00295943-YF4WY76Q4D
Mac
a00957369-K6KVHY00C5
Mac
a01513577-M7GJNF6XQR
Mac
a01841079-LK4T0Y7FP4
Mac
a01875599-TY6TF9Y69L
Mac
a02273884-FYQGVQ1TFP
Mac
a02490072-PCVFY9PJV6
Mac
adamthomas-H73N967GM2
Mac
admin.integrations's iMac -H12CRHNTJV40
Mac
ah-mbp.lan
Mac
ken-mpb16-LG9VYFY7QD
Mac