CVE-2026-42090: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in streetwriters notesnook
CVE-2026-42090 is a critical stored cross-site scripting (XSS) vulnerability in the Notesnook note-taking application affecting versions prior to 3.3.15 on Web/Desktop and prior to 3.3.20 on iOS/Android. The vulnerability arises because note fields such as title, headline, and content are inserted into an HTML template without proper HTML escaping during the note export flow. This allows malicious script injection that executes in a same-origin, unsandboxed iframe. In the desktop app, this escalates to remote code execution (RCE) due to Electron's insecure configuration (nodeIntegration: true, contextIsolation: false). The issue has been patched in the specified versions.
AI Analysis
Technical Summary
Notesnook versions before 3.3.15 (Web/Desktop) and 3.3.20 (iOS/Android) suffer from a stored XSS vulnerability in the note export functionality. Exported note fields are embedded into an HTML template without HTML escaping, enabling script injection. When the note is exported to PDF, the app renders this HTML in a same-origin iframe without sandboxing, allowing injected scripts to execute with the app's privileges. On the desktop app, this leads to remote code execution because Electron is configured insecurely with nodeIntegration enabled and contextIsolation disabled. The vulnerability is tracked as CVE-2026-42090 with a CVSS 3.1 score of 9.6 (critical). The vendor has released patched versions to address this issue.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary scripts within the Notesnook origin, leading to full compromise of the desktop app via remote code execution. This can result in complete loss of confidentiality, integrity, and availability of user data within the app. The vulnerability affects note export functionality and can be triggered by crafted note content. There are no known exploits in the wild at the time of publication.
Mitigation Recommendations
This vulnerability has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20. Users and administrators should upgrade to these or later versions to remediate the issue. Patch status is confirmed by the vendor advisory embedded in the description. No additional mitigations are indicated by the vendor.
CVE-2026-42090: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in streetwriters notesnook
Description
CVE-2026-42090 is a critical stored cross-site scripting (XSS) vulnerability in the Notesnook note-taking application affecting versions prior to 3.3.15 on Web/Desktop and prior to 3.3.20 on iOS/Android. The vulnerability arises because note fields such as title, headline, and content are inserted into an HTML template without proper HTML escaping during the note export flow. This allows malicious script injection that executes in a same-origin, unsandboxed iframe. In the desktop app, this escalates to remote code execution (RCE) due to Electron's insecure configuration (nodeIntegration: true, contextIsolation: false). The issue has been patched in the specified versions.
CVSS v3.1
Score 9.6critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Notesnook versions before 3.3.15 (Web/Desktop) and 3.3.20 (iOS/Android) suffer from a stored XSS vulnerability in the note export functionality. Exported note fields are embedded into an HTML template without HTML escaping, enabling script injection. When the note is exported to PDF, the app renders this HTML in a same-origin iframe without sandboxing, allowing injected scripts to execute with the app's privileges. On the desktop app, this leads to remote code execution because Electron is configured insecurely with nodeIntegration enabled and contextIsolation disabled. The vulnerability is tracked as CVE-2026-42090 with a CVSS 3.1 score of 9.6 (critical). The vendor has released patched versions to address this issue.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary scripts within the Notesnook origin, leading to full compromise of the desktop app via remote code execution. This can result in complete loss of confidentiality, integrity, and availability of user data within the app. The vulnerability affects note export functionality and can be triggered by crafted note content. There are no known exploits in the wild at the time of publication.
Mitigation Recommendations
This vulnerability has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20. Users and administrators should upgrade to these or later versions to remediate the issue. Patch status is confirmed by the vendor advisory embedded in the description. No additional mitigations are indicated by the vendor.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-23T19:17:30.566Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f8d219cbff5d86103970ae
Added to database: 5/4/2026, 5:06:33 PM
Last enriched: 5/12/2026, 6:30:38 AM
Last updated: 6/18/2026, 11:40:38 AM
Views: 90
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.