{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33978", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T22:20:06.210Z", "datePublished": "2026-04-01T16:11:56.610Z", "dateUpdated": "2026-04-01T19:07:24.523Z"}, "containers": {"cna": {"title": "Notesnook: Stored XSS in mobile share editor via unescaped web clip title metadata", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-f27j-fqc6-v7pm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-f27j-fqc6-v7pm"}, {"name": "https://github.com/streetwriters/notesnook/commit/fc8807f74db5539036c5e58d3d68a11ea54098db", "tags": ["x_refsource_MISC"], "url": "https://github.com/streetwriters/notesnook/commit/fc8807f74db5539036c5e58d3d68a11ea54098db"}, {"name": "https://github.com/streetwriters/notesnook/releases/tag/3.3.17-android", "tags": ["x_refsource_MISC"], "url": "https://github.com/streetwriters/notesnook/releases/tag/3.3.17-android"}], "affected": [{"vendor": "streetwriters", "product": "notesnook", "versions": [{"version": "< 3.3.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T16:11:56.610Z"}, "descriptions": [{"lang": "en", "value": "Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip metadata is concatenated into HTML without escaping and then rendered with innerHTML inside the mobile share editor WebView. An attacker can control the shared title metadata (for example through Android/iOS share metadata such as TITLE / SUBJECT, or through link-preview title data) and inject HTML such as </a><img src=x onerror=...>. When the victim opens the Notesnook share flow and selects Web clip, the payload is inserted into the generated HTML and executed in the mobile editor WebView. This issue has been patched in version 3.3.17."}], "source": {"advisory": "GHSA-f27j-fqc6-v7pm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T19:07:14.241983Z", "id": "CVE-2026-33978", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:07:24.523Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33978", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T19:07:14.241983Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:07:21.163Z"}}], "cna": {"title": "Notesnook: Stored XSS in mobile share editor via unescaped web clip title metadata", "source": {"advisory": "GHSA-f27j-fqc6-v7pm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "streetwriters", "product": "notesnook", "versions": [{"status": "affected", "version": "< 3.3.17"}]}], "references": [{"url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-f27j-fqc6-v7pm", "name": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-f27j-fqc6-v7pm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/streetwriters/notesnook/commit/fc8807f74db5539036c5e58d3d68a11ea54098db", "name": "https://github.com/streetwriters/notesnook/commit/fc8807f74db5539036c5e58d3d68a11ea54098db", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/streetwriters/notesnook/releases/tag/3.3.17-android", "name": "https://github.com/streetwriters/notesnook/releases/tag/3.3.17-android", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip metadata is concatenated into HTML without escaping and then rendered with innerHTML inside the mobile share editor WebView. An attacker can control the shared title metadata (for example through Android/iOS share metadata such as TITLE / SUBJECT, or through link-preview title data) and inject HTML such as </a><img src=x onerror=...>. When the victim opens the Notesnook share flow and selects Web clip, the payload is inserted into the generated HTML and executed in the mobile editor WebView. This issue has been patched in version 3.3.17."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T16:11:56.610Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33978", "state": "PUBLISHED", "dateUpdated": "2026-04-01T19:07:24.523Z", "dateReserved": "2026-03-24T22:20:06.210Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T16:11:56.610Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip metadata is concatenated into HTML without escaping and then rendered with innerHTML inside the mobile share editor WebView. An attacker can control the shared title metadata (for example through Android/iOS share metadata such as TITLE / SUBJECT, or through link-preview title data) and inject HTML such as </a><img src=x onerror=...>. When the victim opens the Notesnook share flow and selects Web clip, the payload is inserted into the generated HTML and executed in the mobile editor WebView. This issue has been patched in version 3.3.17."}], "id": "CVE-2026-33978", "lastModified": "2026-04-01T17:28:39.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T17:28:39.660", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/streetwriters/notesnook/commit/fc8807f74db5539036c5e58d3d68a11ea54098db"}, {"source": "security-advisories@github.com", "url": "https://github.com/streetwriters/notesnook/releases/tag/3.3.17-android"}, {"source": "security-advisories@github.com", "url": "https://github.com/streetwriters/notesnook/security/advisories/GHSA-f27j-fqc6-v7pm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.17)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "notesnook", "source": "cna", "vendor": "streetwriters"}, "product": "notesnook", "vendor": "streetwriters"}], "analysis": {"en": {"generated_at": "2026-04-02T03:47:27.013893+00:00", "value": {"mitigation_remediation": ["Upgrade Notesnook to version 3.3.17 or later.", "If an upgrade is not possible, refrain from using the Web clip feature until a patch is available.", "Ensure that any URLs or metadata shared within the app are from trusted sources and not manipulated by malicious actors."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (XSS) in Notesnook mobile share editor"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Notesnook note\u2011taking application developed by Streetwriters. All releases prior to version 3.3.17 on both Android and iOS platforms are impacted. Users of earlier builds should verify their current version against the published release notes.", "description_and_impact": "A stored XSS vulnerability exists in the Notesnook mobile share and web clip flow. Attacker-controlled clip metadata, such as the share title, is concatenated into HTML without escaping and then rendered with innerHTML inside the app\u2019s WebView. When a user opens the share flow and selects the web clip option, the malicious payload is injected into the generated HTML and executed in the editor WebView, allowing the attacker to run arbitrary JavaScript within the Notesnook application. This can lead to session hijacking, data theft, or execution of malicious code on the device. The weakness is a typical cross\u2011site scripting flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity. No EPSS score is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is likely social\u2011engineering based, whereby an attacker crafts a malicious title or link preview that is shared with a victim. Because the payload is stored and executed when the victim opens the share flow, an unauthenticated attacker who can influence the share metadata can trigger the exploit. The risk to confidentiality, integrity, or availability depends on the JavaScript executed by the attacker, but the exploitation requires the victim to invoke the share editor with the crafted data."}}}}, "created": "2026-04-02T07:48:51.389544+00:00", "updated": "2026-04-02T20:17:17.069467+00:00", "vendors": ["streetwriters", "streetwriters$PRODUCT$notesnook"]}