CVE-2026-42090
Stored XSS in Notesnook Leading to RCE via PDF Export
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| notesnook | notesnook | to 3.3.15 (exc) |
| notesnook | notesnook | to 3.3.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Notesnook note-taking app versions prior to Web/Desktop 3.3.15 and iOS/Android 3.3.20. It is a stored Cross-Site Scripting (XSS) flaw in the note export flow where note fields like title, headline, and content are inserted into an HTML template without proper HTML escaping.
When a note is exported to PDF, Notesnook renders this HTML inside a same-origin, unsandboxed iframe using iframe.srcdoc. Because the injected script executes within the Notesnook origin, in the desktop app this can escalate to remote code execution (RCE) due to Electron being configured with nodeIntegration enabled and contextIsolation disabled.
This means an attacker can inject malicious scripts into notes that execute with high privileges on the user's desktop app.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows remote code execution through a stored cross-site scripting (XSS) flaw in the Notesnook app, which could lead to unauthorized access or manipulation of user data.
Such unauthorized access or data manipulation could potentially violate data protection requirements under standards like GDPR and HIPAA, which mandate the protection of personal and sensitive information against unauthorized access and breaches.
Therefore, if exploited, this vulnerability could compromise compliance with these regulations by exposing user data to attackers.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing an attacker to execute arbitrary code remotely on your desktop if you use vulnerable versions of Notesnook.
Such remote code execution can lead to full compromise of your device, unauthorized access to your data, installation of malware, or other malicious activities.
Because the vulnerability arises from executing injected scripts in a privileged context, it poses a high risk to user security and privacy.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Notesnook to the patched versions: Web/Desktop version 3.3.15 or later, and iOS/Android version 3.3.20 or later.
Avoid using vulnerable versions of Notesnook for exporting notes until the update is applied.