CVE-2026-33955 in streetwriters Notesnook Web
摘要 (英语)
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue.
负责
GitHub_M
预定
2026-03-24
披露
2026-03-28
条目
VulDB provides additional information and datapoints for this CVE:
| 标识符 | 漏洞 | CWE | 可利用 | 对策 | CVE |
|---|---|---|---|---|---|
| 354044 | streetwriters Notesnook Web/Notesnook Desktop 跨网站脚本 | 79 | 未定义 | 官方修复 | CVE-2026-33955 |