External risk intelligence

Notesnook could allow an internal attacker to take full control of the user's computer

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-42090

An external attacker could take full control of a computer running Notesnook if a user exports a malicious note to PDF. This action enables the attacker to run hidden commands, risking total system compromise and unauthorized access to the victim's sensitive personal information.

1Halo Surface Signal

Cross-site Scripting

Streetwriters Notesnook Desktop

before 3.3.15before 3.3.20

External exposure likelihood

Halo Surface Signal score for CVE-2026-42090

This is a client-side desktop application vulnerability. The attack vector requires local user interaction, specifically triggering a manual export process within the application, and does not involve a network-reachable service, public-facing interface, or internet-accessible gateway.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Notesnook note-taking app allows for the execution of arbitrary code. This occurs when exported note content is not properly secured, enabling injected scripts to run with elevated privileges in the desktop application. This presents a significant risk as it can lead to a full compromise of the affected system.

Allows arbitrary code execution.
Affects desktop users.
Impacts user privacy and system security.

Attack Path

How an attacker could exploit the issue

An attacker could trick a user into importing a specially crafted note into the Notesnook desktop application. This malicious note, when exported to PDF, would trigger code execution due to the desktop app's Electron configuration, allowing the attacker to run arbitrary commands on the user's system.

User must import note.
User must trigger export.
Desktop app is required.

Live Threat

Current exploitation, exposure, and threat context

This stored XSS vulnerability, which can escalate to RCE on the desktop app, is interesting to attackers due to the severity of the outcome and the potential for unauthenticated users to trigger it. However, the path to exploitation, requiring manual user interaction and a specific export process, makes it less attractive for widespread automated attacks. The absence of public exploit code or active exploitation signals suggests attackers have not yet prioritized weaponizing this specific flaw.

Requires user interaction for RCE.
No public exploit code observed.
Recent patch indicates ongoing maintenance.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Notesnook desktop and mobile applications to the latest versions to address the stored XSS vulnerability that can lead to RCE. If immediate patching is not feasible, isolate affected desktop clients from the network and implement strict monitoring for unusual process creation or network connections originating from the application.

Update Notesnook desktop to 3.3.15+.
Update Notesnook mobile to 3.3.20+.
Monitor for suspicious processes.

Frequently asked questions

What is Notesnook and what is it used for?

Notesnook is a privacy-focused note-taking application designed for users to manage their notes across devices securely. It offers end-to-end encryption and offline access, allowing users to create, edit, and organize notes without an internet connection. The app organizes notes into notebooks and supports various export formats like PDF, HTML, and Markdown.

What type of vulnerability does CVE-2026-42090 represent?

CVE-2026-42090 is a stored cross-site scripting (XSS) vulnerability that can escalate to remote code execution (RCE) on the desktop application. This occurs because exported note fields are inserted into an HTML template without proper escaping, and when rendered in an iframe, injected scripts can execute within the application's origin.

What are the preconditions for exploiting CVE-2026-42090?

Exploitation requires an attacker to deliver a specially crafted note to a user. The user must then manually trigger an export of this note to PDF within the Notesnook desktop application. This manual interaction and export process are necessary to trigger the vulnerability.

Who needs to be concerned about CVE-2026-42090?

Users of the Notesnook desktop application are at risk. This vulnerability is classified as external, meaning it can be exploited over a network, but the specific attack vector requires local user interaction within the application, making it a concern for individual users of the desktop version.

What is the first step to address CVE-2026-42090?

The immediate first step is to update the Notesnook desktop application to version 3.3.15 or later. For mobile users, updating to version 3.3.20 or later is also recommended. If immediate patching isn't possible, avoiding the export of untrusted notes to PDF is advised.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.