CVE-2026-33978 Overview
CVE-2026-33978 is a stored Cross-Site Scripting (XSS) vulnerability affecting Notesnook, a privacy-focused note-taking application. The vulnerability exists in the mobile share and web clip flow where attacker-controlled clip metadata is concatenated into HTML without proper escaping and then rendered using innerHTML inside the mobile share editor WebView. This allows attackers to inject malicious scripts that execute within the context of the victim's session.
Critical Impact
Attackers can execute arbitrary JavaScript code in the victim's Notesnook mobile WebView by crafting malicious share metadata, potentially compromising user data, session tokens, or performing actions on behalf of the user.
Affected Products
- Notesnook mobile application versions prior to 3.3.17
- Notesnook Android application (affected via Android share intents)
- Notesnook iOS application (affected via iOS share metadata)
Discovery Timeline
- April 1, 2026 - CVE-2026-33978 published to NVD
- April 1, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33978
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) occurs due to improper input sanitization in the mobile share/web clip workflow. When a user shares content to Notesnook from external applications or web pages, the application processes metadata fields including titles and subjects. The vulnerable code path accepts this metadata and directly concatenates it into an HTML string without proper encoding or escaping, subsequently rendering it via the innerHTML property in the mobile editor WebView.
The attack requires user interaction—specifically, the victim must initiate the share flow and select the "Web clip" option. Once triggered, the payload executes within the WebView context, which may have access to sensitive application data and functionality.
Root Cause
The root cause is the absence of HTML entity encoding or sanitization when processing externally-supplied metadata (such as TITLE or SUBJECT fields from Android/iOS share intents, or link-preview title data) before inserting it into the DOM. The application trusts this user-controllable input and renders it directly using innerHTML, which interprets any HTML tags within the input string rather than treating them as plain text.
Attack Vector
The attack exploits the share functionality available on both Android and iOS platforms. An attacker can craft a malicious payload by:
- Creating content with a specially crafted title containing HTML injection payloads
- Sharing this content to the victim's device via standard sharing mechanisms
- When the victim opens Notesnook's share flow and selects "Web clip," the malicious title metadata is processed
- The injected HTML (such as </a><img src=x onerror=...>) is inserted into the generated HTML document
- The payload executes in the mobile editor WebView context
The attack can be delivered through Android share intents (TITLE/SUBJECT extras), iOS share extension metadata, or manipulated link-preview title data. The vulnerability is particularly concerning as it exploits a common user workflow—clipping web content for later reference.
Detection Methods for CVE-2026-33978
Indicators of Compromise
- Unexpected JavaScript execution or alerts when using the share/web clip feature
- Unusual network requests originating from the Notesnook WebView
- Reports of modified or corrupted notes appearing after using the share functionality
- Presence of HTML tags such as <img>, <script>, or event handlers like onerror in note metadata
Detection Strategies
- Monitor application logs for WebView JavaScript errors or unexpected script execution events
- Implement content security policies (CSP) within WebViews to restrict inline script execution
- Review shared content metadata for suspicious HTML patterns before processing
- Use static analysis tools to identify innerHTML usage with unsanitized input
Monitoring Recommendations
- Enable verbose logging for the share/web clip functionality to capture metadata processing
- Monitor for anomalous WebView behavior patterns indicating script injection
- Track application crash reports that may indicate exploitation attempts
- Review user-reported issues related to the share functionality for potential attack indicators
How to Mitigate CVE-2026-33978
Immediate Actions Required
- Update Notesnook to version 3.3.17 or later immediately
- Temporarily disable the web clip feature if immediate update is not possible
- Review any recently clipped content for signs of malicious injection
- Clear application cache and data if exploitation is suspected
Patch Information
The vulnerability has been addressed in Notesnook version 3.3.17. The fix involves proper HTML entity encoding of user-controllable metadata before it is inserted into the DOM. For technical details on the patch implementation, refer to the GitHub commit fc8807f and the GitHub Security Advisory GHSA-f27j-fqc6-v7pm. The patched Android version is available via the GitHub Release 3.3.17-android.
Workarounds
- Avoid using the share/web clip feature until the application is updated
- Manually copy and paste content instead of using the system share functionality
- Review and sanitize any content before opening it in the web clip flow
- Consider using the desktop or web version of Notesnook as an alternative until the mobile app is patched
# Verify Notesnook version on Android
# Navigate to Settings > About in the application
# Ensure version is 3.3.17 or higher
# Update via package manager (if using F-Droid or similar)
# Or download directly from GitHub releases
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
