CVE-2026-42090 — AI Deep Analysis Summary

🚨 **Essence**: Stored XSS in Notesnook export flow. 💥 **Consequences**: Leads to Remote Code Execution (RCE) on Desktop. Users' notes are hijacked to execute malicious scripts.

🛡️ **Root Cause**: CWE-79 (Stored XSS). HTML tags in exported notes (title/content) are **not escaped**. They are injected into an `iframe.srcdoc` without sandboxing.

📦 **Affected**: Notesnook Web/Desktop **< 3.3.15** AND iOS/Android **< 3.3.20**. Specifically targets the Electron-based Desktop app due to Node integration.

💀 **Attacker Power**: Full RCE on victim's machine. Can steal data, install malware, or control the system. Privileges = **User Level** (but with Node.js access).

⚡ **Threshold**: Low. Requires **User Interaction** (UI:R). Victim must export a note containing the malicious payload. No authentication needed to inject if they own the note.

🔍 **Public Exp?**: No PoCs listed in data. However, the mechanism is clear (iframe injection). Wild exploitation is likely once details are public.

🔎 **Self-Check**: Check your Notesnook version. If Desktop < 3.3.15, you are vulnerable. Look for unusual behavior during PDF export or note rendering.

✅ **Fixed?**: YES. Patched in **v3.3.15** (Web/Desktop) and **v3.3.20** (Mobile). Update immediately to the latest version.

🚧 **No Patch?**: Avoid exporting notes to PDF/HTML. Do not open untrusted notes. Disable `nodeIntegration` if you are a developer/custom build (not applicable for end-users).

🔥 **Urgency**: **CRITICAL**. CVSS 9.8 (High). RCE via simple user action. Update NOW. Do not wait.