Notesnook, the end-to-end encrypted note-taking app, has been patching security issues at a faster pace than usual over the past few weeks. The latest fix arrived in desktop version 3.3.15, released April 20, addressing a vulnerability that could allow remote code execution through malicious scripts hidden in note content.

The PDF export problem

The vulnerability exploited the PDF export function: specially crafted content could trigger a persistent XSS during rendering, which in the Electron-based desktop app translates to arbitrary command execution on the user’s system. Security researcher iiihaiii reported the issue responsibly, and the team confirmed no user action beyond updating is needed.

This marks the third security issue patched in Notesnook within weeks. Previous fixes included an XSS in the note history viewer (CVE-2026-33955, patched in 3.3.11) and another in the mobile sharing feature (CVE-2026-33976, fixed in 3.3.17 for Android and iOS). All three flaws share the same root cause: user-controlled content rendered without proper sanitization.

What else is in 3.3.15

The update adds the ability to empty the trash directly from the context menu in the sidebar, right-click on trash and you’re done. Among the bug fixes, the most annoying one addressed a Windows issue where the app would occasionally uninstall itself during updates. Also resolved was a dark mode display problem with the PDF search box becoming unreadable.

If you’re running Notesnook on desktop, update as soon as possible.