Description

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an <iframe>. This vulnerability is fixed in 3.3.9.

INFO

Published Date :

2026-03-11T18:17:08.142Z

Last Modified :

2026-03-12T20:08:12.048Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-31876 vulnerability.

Vendors Products
Streetwriters
  • Notesnook
  • Notesnook Desktop
  • Notesnook Mobile
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31876.

URL Resource
https://github.com/streetwriters/notesnook/commit/e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7 cve-icon cve-icon
https://github.com/streetwriters/notesnook/security/advisories/GHSA-jprx-2w2h-4rh5 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact