CVE-2026-33976 - Notesnook - Stored XSS & Remote Code Execution

Overview

Notesnook prior to 3.3.11 (Web/Desktop) and 3.3.17 (Android/iOS) contains a stored XSS caused by preservation of attacker-controlled attributes in web-clip HTML, letting attackers achieve remote code execution in the desktop app, exploit requires opening crafted clips.

Severity & Score

Severity: Critical

CVSS Score: 9.6

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary code remotely in the desktop app, potentially compromising the user's system.

Mitigation

Update to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS or later.

References

https://github.com/streetwriters/notesnook/security/advisories/GHSA-f42f-phvp-43x5

Social Media Activity(6 posts)

TheHackerWire

@thehackerwire

Mar 27, 2026

🔴 CVE-2026-33976 - Critical (9.6) Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper prese... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33976/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 27, 2026

🔴 CVE-2026-33976 - Critical (9.6) Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper prese... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33976/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Offensive Sequence

@offseq

Mar 27, 2026

🚨CRITICAL: CVE-2026-33976 in Notesnook Web/Desktop <3.3.11 — stored XSS in Web Clipper leads to RCE via Electron misconfig. Patch ASAP & review Electron security settings. More: https://radar.offseq.com/threat/cve-2026-33976-cwe-79-improper-neutralization-of-i-cedece5d #OffSeq #XSS #CyberSecurity #RCE

View original post

TheHackerWire

@thehackerwire

Mar 27, 2026

🔴 CVE-2026-33976 - Critical (9.6) Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper prese... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33976/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 27, 2026

🔴 CVE-2026-33976 - Critical (9.6) Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper prese... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33976/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Offensive Sequence

@offseq

Mar 27, 2026

🚨CRITICAL: CVE-2026-33976 in Notesnook Web/Desktop <3.3.11 — stored XSS in Web Clipper leads to RCE via Electron misconfig. Patch ASAP & review Electron security settings. More: https://radar.offseq.com/threat/cve-2026-33976-cwe-79-improper-neutralization-of-i-cedece5d #OffSeq #XSS #CyberSecurity #RCE

View original post

CVE-2026-33976 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(6 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score