A stored XSS vulnerability in the Notesnook Web Clipper allows an unauthenticated attacker to achieve full Remote Code Execution on desktop clients by exploiting insecure Electron settings.

The Web Clipper preserves malicious event-handler attributes (e.g., onload) from source pages. Because the desktop app uses Electron with nodeIntegration: true and contextIsolation: false, an unauthenticated attacker can use a stored XSS payload to execute arbitrary Node.js code on the victim's machine.

This vulnerability represents a severe risk to end-user data and local system security. Successful exploitation leads to full compromise of the user's workstation, including the ability to read, modify, or delete sensitive notes and access local files. The CVSS score of 9.6 highlights the critical nature of this "XSS-to-RCE" chain.

Immediate Action: Update the Notesnook application to version 3.3.11 (Web/Desktop) or 3.3.17 (Mobile) immediately.

Proactive Monitoring: Security teams should monitor for unusual outbound network connections from the Notesnook desktop application process.

Compensating Controls: Restrict the use of the Web Clipper feature on untrusted or high-risk websites until the application has been fully patched across the fleet.

Public Exploit Available: false

Users must update their Notesnook clients immediately to the patched versions. The combination of stored XSS and insecure Electron defaults creates a direct path to system compromise. Organizations should ensure that all managed endpoints have received the update to prevent targeted attacks against employees using the software.