Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twi

Description

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an <iframe>. This vulnerability is fixed in 3.3.9.

Affected Products

Vendor	Product	Versions
streetwriters	notesnook_desktop	< 3.3.9, < 3.3.15, < 3.3.15

References

CVSS 3.15.4 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

3.3.93.3.15

CWECWE-79

PublishedMar 11, 2026

Last enriched1d ago

Trending Score0

Source articles0

Independent0

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twi

Description

Affected Products

References

Community Vote

Related CVEs (3)

Pin to Dashboard

Verification

Vulnerability Timeline