CVE-2026-42090
Awaiting Analysis Awaiting Analysis - Queue
Stored XSS in Notesnook Leading to RCE via PDF Export

Publication date: 2026-05-04

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-42090
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
notesnook notesnook to 3.3.15 (exc)
notesnook notesnook to 3.3.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Notesnook note-taking app versions prior to Web/Desktop 3.3.15 and iOS/Android 3.3.20. It is a stored Cross-Site Scripting (XSS) flaw in the note export flow where note fields like title, headline, and content are inserted into an HTML template without proper HTML escaping.

When a note is exported to PDF, Notesnook renders this HTML inside a same-origin, unsandboxed iframe using iframe.srcdoc. Because the injected script executes within the Notesnook origin, in the desktop app this can escalate to remote code execution (RCE) due to Electron being configured with nodeIntegration enabled and contextIsolation disabled.

This means an attacker can inject malicious scripts into notes that execute with high privileges on the user's desktop app.

Impact Analysis

This vulnerability can have severe impacts including allowing an attacker to execute arbitrary code remotely on your desktop if you use vulnerable versions of Notesnook.

Such remote code execution can lead to full compromise of your device, unauthorized access to your data, installation of malware, or other malicious activities.

Because the vulnerability arises from executing injected scripts in a privileged context, it poses a high risk to user security and privacy.

Mitigation Strategies

To mitigate this vulnerability, update Notesnook to the patched versions: Web/Desktop version 3.3.15 or later, and iOS/Android version 3.3.20 or later.

Avoid using vulnerable versions of Notesnook for exporting notes until the update is applied.

Compliance Impact

This vulnerability allows remote code execution through a stored cross-site scripting (XSS) flaw in the Notesnook app, which could lead to unauthorized access or manipulation of user data.

Such unauthorized access or data manipulation could potentially violate data protection requirements under standards like GDPR and HIPAA, which mandate the protection of personal and sensitive information against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could compromise compliance with these regulations by exposing user data to attackers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42090. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart