CVE-2026-42090
Published: 04 May 2026
Summary
CVE-2026-42090 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Streetwriters Notesnook Mobile. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires filtering and HTML escaping of note fields prior to insertion into export HTML templates, directly preventing stored XSS execution in the unsandboxed iframe.
Enforces secure Electron configurations like nodeIntegration: false and contextIsolation: true to block XSS escalation to RCE in the desktop app.
Validates and sanitizes user inputs in note title, headline, and content to prevent storage of malicious scripts exploitable during export.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in client-side export flow directly enables attacker-controlled JavaScript execution (T1059.007) within the application origin; Electron misconfiguration (nodeIntegration:true, contextIsolation:false) converts this into arbitrary code execution on the host (T1203).
NVD Description
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote…
more
code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.
Deeper analysisAI
CVE-2026-42090 is a stored cross-site scripting (XSS) vulnerability in the note export flow of Notesnook, a privacy-focused note-taking application. It affects Notesnook Web and Desktop versions prior to 3.3.15, as well as Notesnook iOS and Android versions prior to 3.3.20. The issue stems from exported note fields, such as title, headline, and content, being inserted into a generated HTML template without proper HTML escaping. During PDF export, this HTML is rendered within a same-origin, unsandboxed iframe using the srcdoc attribute, allowing injected scripts to execute in the Notesnook origin.
The vulnerability requires network access and user interaction but no privileges (AV:N/AC:L/PR:N/UI:R). An attacker can exploit it by crafting a note with malicious JavaScript in the affected fields, which a victim then exports. Upon PDF export, the script executes in the application's context. In the Electron-based desktop app, this escalates to remote code execution (RCE) due to the configuration with nodeIntegration: true and contextIsolation: false, potentially granting full control over the system (CVSS 9.6: C:H/I:H/A:H). Associated CWEs include CWE-79 (XSS) and CWE-94 (code injection).
Notesnook has addressed the vulnerability in Web/Desktop version 3.3.15 and iOS/Android version 3.3.20, as detailed in their GitHub security advisory (GHSA-fjm8-jg78-89h4) and corresponding release notes. Users should update to these patched versions to mitigate the risk.
Details
- CWE(s)