Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

streetwriters

Source -

CNANVD

BOS Name -

N/A

CNA CVEs -

4

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

4
Related CVEsRelated ProductsRelated AssignersReports
4Vulnerabilities found
CVE-2026-33978
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 8.72%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 16:11
Updated-21 Apr, 2026 | 00:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Notesnook: Stored XSS in mobile share editor via unescaped web clip title metadata

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip metadata is concatenated into HTML without escaping and then rendered with innerHTML inside the mobile share editor WebView. An attacker can control the shared title metadata (for example through Android/iOS share metadata such as TITLE / SUBJECT, or through link-preview title data) and inject HTML such as </a><img src=x onerror=...>. When the victim opens the Notesnook share flow and selects Web clip, the payload is inserted into the generated HTML and executed in the mobile editor WebView. This issue has been patched in version 3.3.17.

Action-Not Available
Vendor-streetwritersstreetwriters
Product-notesnook_mobilenotesnook
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-33955
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.05% / 15.69%
||
7 Day CHG~0.00%
Published-27 Mar, 2026 | 21:27
Updated-03 Apr, 2026 | 13:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Notesnook vulnerable to RCE via stored XSS in Note History diff viewer

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a desktop application. The issue is triggered when an attacker-controlled note header is displayed using `dangerouslySetInnerHTML` without secure handling. When combined with the full backup and restore feature in the desktop application, this becomes remote code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 patches the issue.

Action-Not Available
Vendor-streetwritersstreetwriters
Product-notesnook_desktopNotesnook Web/Desktop
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-33976
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.7||CRITICAL
EPSS-0.14% / 33.59%
||
7 Day CHG~0.00%
Published-27 Mar, 2026 | 21:26
Updated-03 Apr, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering

Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML. When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using `contentDocument.write(...)`. Event-handler attributes such as `onload`, `onclick`, or `onmouseover` execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.

Action-Not Available
Vendor-streetwritersstreetwriters
Product-notesnook_mobilenotesnook_desktopNotesnook iOS/AndroidNotesnook Web/Desktop
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-31876
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 10.30%
||
7 Day CHG~0.00%
Published-11 Mar, 2026 | 18:17
Updated-17 Mar, 2026 | 15:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Notesnook has Stored XSS via unsanitized Twitter/X embed URL in editor (`tweetToEmbed`)

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an <iframe>. This vulnerability is fixed in 3.3.9.

Action-Not Available
Vendor-streetwritersstreetwriters
Product-notesnook_mobilenotesnook_desktopnotesnook
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')