CVE-2026-42090 Overview
CVE-2026-42090 is a stored cross-site scripting (XSS) vulnerability [CWE-79] in Notesnook, a privacy-focused note-taking application. The flaw resides in the note export flow, where exported note fields including title, headline, and content are inserted into a generated HTML template without HTML escaping. When users export notes to PDF, Notesnook renders the HTML inside a same-origin, unsandboxed iframe via iframe.srcdoc. In the desktop application, the XSS escalates to remote code execution (RCE) because Electron is configured with nodeIntegration: true and contextIsolation: false. The issue affects Notesnook Web/Desktop prior to 3.3.15 and Notesnook iOS/Android prior to 3.3.20.
Critical Impact
Attackers can achieve remote code execution on Notesnook desktop installations by tricking users into exporting a maliciously crafted note to PDF.
Affected Products
- Notesnook Web/Desktop versions prior to 3.3.15
- Notesnook iOS versions prior to 3.3.20
- Notesnook Android versions prior to 3.3.20
Discovery Timeline
- 2026-05-04 - CVE-2026-42090 published to NVD
- 2026-05-04 - Last updated in NVD database
Technical Details for CVE-2026-42090
Vulnerability Analysis
The vulnerability stems from unsafe HTML construction during the note export workflow. Notesnook concatenates user-controlled note fields (title, headline, content) directly into an HTML template without escaping special characters such as <, >, and ". An attacker who controls note content, such as through a shared note or imported data, can inject arbitrary HTML and JavaScript into the generated document.
When the user exports the note to PDF, Notesnook assigns the resulting HTML to an iframe through the iframe.srcdoc property. The iframe runs in the same origin as the Notesnook application and is not sandboxed. Injected scripts therefore execute with full access to the Notesnook origin.
On the desktop client, this same-origin script execution becomes RCE. Electron is configured with nodeIntegration: true and contextIsolation: false, exposing Node.js APIs such as require('child_process') directly to renderer scripts. Attackers can spawn arbitrary processes on the host system. The CWE-79 classification reflects the underlying injection flaw, while user interaction is required to trigger the export action.
Root Cause
The root cause is missing output encoding when building the export HTML template. Note fields are concatenated as raw strings rather than being passed through an HTML-escaping routine. Compounding this, the export iframe is rendered same-origin and unsandboxed, and the Electron shell disables modern process isolation defenses.
Attack Vector
The attack requires an attacker to deliver a malicious note to the victim, for example through a shared notebook, monolith import, or sync abuse. The victim must subsequently trigger a PDF export of the note. Once the iframe renders the unescaped content, the injected payload executes in the Notesnook origin and, on desktop, can pivot to Node.js APIs for command execution.
No verified exploit code is published. See the GitHub Security Advisory GHSA-fjm8-jg78-89h4 for technical details.
Detection Methods for CVE-2026-42090
Indicators of Compromise
- Notesnook desktop processes spawning unexpected child processes such as cmd.exe, powershell.exe, bash, or sh.
- Notes containing HTML or JavaScript constructs in title, headline, or content fields, including <script>, <img onerror=, or <iframe> tags.
- Outbound network connections from the Notesnook Electron process to non-Notesnook infrastructure following a PDF export action.
Detection Strategies
- Inspect synced or imported note payloads for embedded HTML tags and event handler attributes prior to opening them in vulnerable clients.
- Monitor endpoint telemetry for the Notesnook process tree and alert when the renderer spawns shells, scripting interpreters, or file-writing utilities.
- Review application logs and crash reports around export-to-PDF operations for anomalous behavior.
Monitoring Recommendations
- Enable process creation auditing on systems running Notesnook desktop and centralize logs in a SIEM for correlation.
- Track installed Notesnook versions across the fleet and flag any host running a version below 3.3.15 (desktop) or 3.3.20 (mobile).
- Alert on file system writes to startup, autorun, or scheduled task locations originating from the Notesnook process.
How to Mitigate CVE-2026-42090
Immediate Actions Required
- Upgrade Notesnook Web/Desktop to version 3.3.15 or later immediately.
- Upgrade Notesnook iOS and Android clients to version 3.3.20 or later.
- Avoid exporting untrusted or externally sourced notes to PDF until all clients are patched.
- Review shared notebooks and recently imported notes for suspicious HTML content.
Patch Information
The vendor released fixes in Notesnook v3.3.15 for Web and Desktop and in Notesnook 3.3.20 for Android for the mobile clients. The patched versions HTML-escape exported note fields before injecting them into the export template, preventing script execution within the export iframe.
Workarounds
- Do not use the export-to-PDF feature in unpatched desktop builds, especially for notes received from external parties.
- Restrict note sharing and imports to trusted sources until upgrades are complete.
- Where feasible, use the mobile or web clients for export operations, which do not expose Node.js APIs through Electron.
# Verify installed Notesnook desktop version (Linux/macOS)
notesnook --version
# Windows: check version via PowerShell
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" |
Where-Object { $_.DisplayName -like "Notesnook*" } |
Select-Object DisplayName, DisplayVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
