Notesnook, a note-taking application, had a stored XSS vulnerability in its Web Clipper feature before version 3.3.11 on Web/Desktop and 3.3.17 on mobile platforms. The vulnerability occurs because the clipper retains attacker-controlled attributes from the root element of the source page and stores them in the clipped HTML. When the clipped content is later opened, Notesnook renders it inside a same-origin iframe without sandboxing, using contentDocument.write. This allows event-handler attributes (e.g., onload, onclick) to execute within the Notesnook origin. On the desktop app, this XSS escalates to remote code execution because Electron is configured with nodeIntegration: true and contextIsolation: false, enabling attacker code to run with elevated privileges. The vulnerability is tracked as CVE-2026-33976 with a CVSS score of 9.7 (critical). The vendor has released patches in versions 3.3.11 (Web/Desktop) and 3.3.17 (Android/iOS) to address this issue.

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely on the Notesnook desktop application. This is due to the combination of stored XSS in the web clipper and the insecure Electron configuration that enables node integration and disables context isolation. The impact includes full compromise of the affected application, potentially leading to data theft, manipulation, or further system compromise. The CVSS score of 9.7 reflects critical severity with high impact on confidentiality, integrity, and availability.

The vendor has released official patches that fix this vulnerability in Notesnook Web/Desktop version 3.3.11 and Android/iOS version 3.3.17. Users and administrators should upgrade to these versions or later to remediate the issue. Since this is not a cloud service, remediation depends on applying these updates. Patch status is confirmed by the vendor advisory embedded in the description. No additional mitigation steps are indicated beyond applying the official updates.