{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-24T06:48:27.195","vulnerabilities":[{"cve":{"id":"CVE-2026-33976","sourceIdentifier":"security-advisories@github.com","published":"2026-03-27T22:16:22.250","lastModified":"2026-06-17T10:38:22.133","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using `contentDocument.write(...)`. Event-handler attributes such as `onload`, `onclick`, or `onmouseover` execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"streetwriters","product":"Notesnook Web/Desktop","versions":[{"version":"< 3.3.11","status":"affected"}]},{"vendor":"streetwriters","product":"Notesnook iOS/Android","versions":[{"version":"< 3.3.17","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":6.0}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-31T00:00:00+00:00","id":"CVE-2026-33976","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"},{"lang":"en","value":"CWE-94"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:streetwriters:notesnook_desktop:*:*:*:*:*:*:*:*","versionEndExcluding":"3.3.11","matchCriteriaId":"08C11EDB-67C1-4E85-A07D-0164CB036757"},{"vulnerable":true,"criteria":"cpe:2.3:a:streetwriters:notesnook_mobile:*:*:*:*:*:android:*:*","versionEndExcluding":"3.3.17","matchCriteriaId":"105C802D-D317-4B9A-B883-D07A1E0840E6"},{"vulnerable":true,"criteria":"cpe:2.3:a:streetwriters:notesnook_mobile:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"3.3.17","matchCriteriaId":"858B01C2-38C3-4093-A638-E380119ABDF5"}]}]}],"references":[{"url":"https://github.com/streetwriters/notesnook/security/advisories/GHSA-f42f-phvp-43x5","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}