CVE-2026-33978 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the Notesnook mobile application, a privacy-focused note-taking app by streetwriters. The vulnerability exists in versions prior to 3.3.17 within the mobile share and web clip flow. Specifically, the issue stems from improper neutralization of attacker-controlled input during web page generation inside the mobile share editor WebView. When a user shares content via Android or iOS share intents, metadata fields such as TITLE or SUBJECT, or link-preview title data, are incorporated directly into HTML without proper escaping or sanitization. This data is then rendered using innerHTML, which executes any embedded HTML or JavaScript. An attacker can craft malicious metadata containing payloads like </a><img src=x onerror=...> to execute arbitrary scripts when the victim opens the Notesnook share flow and selects the Web clip option. This stored XSS can lead to script execution within the context of the app's WebView, potentially allowing attackers to steal sensitive information accessible to the app or manipulate the app's UI. The vulnerability does not require authentication but does require user interaction to trigger. The CVSS v3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. The issue was publicly disclosed on April 1, 2026, and has been patched in Notesnook version 3.3.17. No known exploits in the wild have been reported to date.

The primary impact of this vulnerability is the potential execution of arbitrary scripts within the Notesnook mobile app's WebView environment. This can lead to unauthorized access to sensitive user data stored or processed by the app, such as notes content or metadata, thereby compromising confidentiality. Integrity may also be affected if the attacker can manipulate the app's UI or stored data through script injection. However, the vulnerability does not impact availability, as it does not cause denial of service or app crashes. Because exploitation requires user interaction (opening the share flow and selecting Web clip), the attack surface is somewhat limited. Nonetheless, given Notesnook's focus on privacy and secure note-taking, any compromise of confidentiality or integrity undermines user trust and can have serious consequences for individuals or organizations relying on the app for sensitive information. Organizations using vulnerable versions on mobile devices are at risk of targeted attacks, especially if attackers can trick users into sharing malicious content. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, as the vulnerability is publicly known and patched.

To mitigate this vulnerability, organizations and users should immediately update Notesnook to version 3.3.17 or later, where the issue has been patched. Developers should ensure that all user-controlled input, especially metadata used in HTML generation, is properly sanitized and escaped before rendering in WebView contexts to prevent injection attacks. Employing secure coding practices such as using safe APIs that do not rely on innerHTML or implementing strict Content Security Policies (CSP) within the app's WebView can further reduce risk. Users should be cautious when opening shared content or links from untrusted sources within the app. Organizations deploying Notesnook in managed environments should enforce app updates and consider monitoring for suspicious activity related to share flows. Additionally, security teams can perform regular code reviews and penetration testing focused on WebView components to detect similar issues proactively.