CVE-2026-33955 is a cross-site scripting vulnerability classified under CWE-79 that affects the Notesnook note-taking application on Web and Desktop platforms prior to version 3.3.11. The vulnerability arises from the unsafe use of React's dangerouslySetInnerHTML to render note headers in the note history comparison viewer without proper input sanitization or neutralization. This allows an attacker to inject malicious scripts into note headers. While the initial vulnerability is XSS, it escalates to remote code execution (CWE-94) in the desktop application due to the Electron framework's insecure configuration: nodeIntegration is enabled (true) and contextIsolation is disabled (false). These settings allow injected scripts to access Node.js APIs, enabling arbitrary code execution. The backup and restore feature in the desktop app facilitates this escalation by processing attacker-controlled content. Exploitation requires user interaction (viewing the malicious note) but no prior authentication, making it a significant risk for users who open or restore compromised notes. The vulnerability was publicly disclosed on March 27, 2026, with a CVSS v3.1 score of 8.6 (high severity), reflecting its potential to compromise confidentiality, integrity, and availability. The vendor addressed the issue in version 3.3.11 by presumably sanitizing inputs and/or adjusting Electron security settings. No known exploits in the wild have been reported yet, but the combination of XSS and RCE in a popular note-taking app warrants immediate attention.

This vulnerability poses a critical risk to organizations and individual users relying on Notesnook for sensitive note-taking and data storage. Successful exploitation can lead to remote code execution on the desktop client, allowing attackers to execute arbitrary commands, install malware, steal sensitive information, or pivot within internal networks. The compromise of confidentiality, integrity, and availability can result in data breaches, intellectual property theft, and operational disruption. Since the vulnerability requires only user interaction without authentication, phishing or social engineering attacks could be used to lure victims into opening malicious notes. The backup and restore feature's involvement means that even restored data can trigger exploitation, increasing the attack surface. Organizations using Notesnook in regulated industries or handling sensitive data face compliance and reputational risks. The threat is exacerbated by Electron's insecure default configuration, which is common in many desktop apps, highlighting a broader security concern. Although no exploits are currently known in the wild, the high CVSS score and ease of exploitation make this a priority vulnerability to address.

1. Immediate upgrade of Notesnook Web/Desktop to version 3.3.11 or later to apply the official patch. 2. For organizations unable to upgrade immediately, restrict access to the note history comparison viewer and disable the backup and restore feature temporarily to reduce attack vectors. 3. Review and harden Electron app configurations by disabling nodeIntegration and enabling contextIsolation to prevent JavaScript injection from escalating to RCE. 4. Implement strict input validation and sanitization on all user-generated content, especially note headers, to prevent XSS. 5. Educate users about the risks of opening notes from untrusted sources and implement security awareness training to reduce successful social engineering. 6. Monitor application logs and network traffic for suspicious activity related to note rendering or backup/restore operations. 7. Employ endpoint detection and response (EDR) tools to detect anomalous behavior indicative of exploitation attempts. 8. Conduct regular security assessments and penetration testing focusing on Electron app security best practices. 9. Consider sandboxing the Notesnook desktop app or running it with least privilege to limit potential damage from exploitation.