Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3…

A stored XSS vulnerability in Notesnook note-taking app's export flow can escalate to remote code execution in the desktop version. The vulnerability occurs when exported note fields are inserted into HTML templates without proper escaping. When exported to PDF, the HTML is rendered in an unsandboxed iframe, allowing script execution. In the desktop app, this becomes RCE due to Electron's nodeIntegration enabled and contextIsolation disabled configuration. The issue affects versions prior to Web/Desktop 3.3.15 and iOS/Android 3.3.20, and has been patched in those versions.