CVE-2026-42090

Notesnook · Notesnook

A stored XSS vulnerability in Notesnook’s note export process can be escalated to remote code execution due to insecure iframe rendering and misconfigured Electron settings.

Executive summary

A critical vulnerability in Notesnook allows unauthenticated attackers to achieve remote code execution on desktop systems via maliciously crafted note content.

Vulnerability

The application fails to sanitize note fields during export, leading to stored XSS that, in the desktop app, triggers RCE because of disabled context isolation and enabled node integration in the Electron framework.

Business impact

With a CVSS score of 9.6, this vulnerability poses a severe risk to end-user workstations. Successful exploitation allows an attacker to execute arbitrary code with the privileges of the logged-in user, potentially leading to full system compromise, data theft, and lateral movement within the enterprise environment.

Remediation

Immediate Action: Update all Notesnook instances to Web/Desktop version 3.3.15 or higher, and mobile versions to 3.3.20 or higher.

Proactive Monitoring: Review endpoint security logs for anomalous processes spawned by the Notesnook application or unexpected outbound network connections originating from the app.

Compensating Controls: Deploy endpoint detection and response (EDR) solutions to identify and block suspicious child processes initiated by Electron-based applications.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability is highly critical due to the potential for RCE on desktop platforms. Organizations using Notesnook must prioritize the rollout of the specified versions to all endpoints to mitigate the risk of compromise.