CVE-2026-33978
Stored XSS in Notesnook Mobile Share WebView Before
Publication date: 2026-04-01
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| streetwriters | notesnook_mobile | to 3.3.17 (exc) |
| streetwriters | notesnook_mobile | to 3.3.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33978 is a stored Cross-Site Scripting (XSS) vulnerability in the Notesnook mobile app's share editor (both iOS and Android) prior to version 3.3.17. The issue occurs because attacker-controlled metadata, such as the shared title or subject from Android/iOS share metadata or link-preview title data, is directly inserted into HTML without proper escaping. This unescaped content is then rendered using innerHTML inside the mobile share editor WebView.
An attacker can craft malicious HTML or JavaScript code (for example, injecting an image tag with an onerror JavaScript handler) into the shared title metadata. When a victim opens the Notesnook share flow and selects Web clip mode, this malicious payload is inserted into the generated HTML and executed within the mobile editor WebView, allowing arbitrary script execution.
The vulnerability arises from improper neutralization of input during web page generation (CWE-79). It was fixed in Notesnook version 3.3.17 by properly escaping the title metadata before inserting it into the HTML.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary JavaScript code within the context of the Notesnook mobile share editor WebView on a victim's device. This can lead to several impacts including:
- Execution of malicious scripts that could steal sensitive information or manipulate the app's behavior.
- Potential compromise of user data confidentiality and integrity within the Notesnook app.
- User interaction is required for the attack to succeed, as the victim must open the share flow and select Web clip mode.
The overall severity is rated as Moderate with a CVSS v3 base score of 5.4, indicating a network attack vector with low attack complexity and no privileges required.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in the Notesnook mobile share editor that occurs when attacker-controlled metadata (such as TITLE or SUBJECT fields from Android/iOS share metadata or link-preview title data) is rendered without proper escaping. Detection involves identifying if malicious HTML or JavaScript payloads are present in the shared note titles or metadata.
Since the vulnerability manifests when the victim opens the Notesnook share flow and selects Web clip mode, detection on the system could involve monitoring or inspecting shared metadata for suspicious HTML tags or JavaScript event handlers (e.g., <img src=x onerror=...>).
There are no specific commands provided in the resources to detect this vulnerability on a network or system. However, general approaches could include:
- Inspecting Notesnook shared note metadata for unescaped HTML or suspicious tags.
- Monitoring network traffic for unusual share metadata containing HTML injection payloads.
- Using application logs or debugging tools to trace the rendering of share metadata in the mobile app.
No explicit detection commands or scripts are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Notesnook mobile app to version 3.3.17 or later, where this vulnerability has been fixed.
The fix involves properly escaping or sanitizing the shared metadata titles before inserting them into the HTML content rendered in the mobile share editor WebView, preventing execution of malicious scripts.
- Upgrade Notesnook to version 3.3.17 or newer on all affected devices.
- Avoid opening shared notes or web clips from untrusted sources until the update is applied.
- If upgrading immediately is not possible, consider restricting or monitoring the use of the share feature in Notesnook to reduce exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how the stored XSS vulnerability in Notesnook affects compliance with common standards and regulations such as GDPR or HIPAA.