Notesnook, the end-to-end encrypted note-taking app, has been patching security issues at a faster pace than usual over the past few weeks. The latest fix arrived in desktop version 3.3.15, released April 20, addressing a vulnerability that could allow remote code execution through malicious scripts hidden in note content.<\/p>\n\n\n\n
The vulnerability exploited the PDF export function: specially crafted content could trigger a persistent XSS<\/a> during rendering, which in the Electron-based desktop app translates to arbitrary command execution on the user’s system. Security researcher iiihaiii<\/a> reported the issue responsibly, and the team confirmed no user action beyond updating is needed.<\/p>\n\n\n\n This marks the third security issue patched in Notesnook within weeks. Previous fixes included an XSS in the note history viewer (CVE-2026-33955, patched in 3.3.11) and another in the mobile sharing feature (CVE-2026-33976, fixed in 3.3.17 for Android and iOS). All three flaws share the same root cause: user-controlled content rendered without proper sanitization.<\/p>\n\n\n\n The update adds the ability to empty the trash directly from the context menu in the sidebar, right-click on trash and you’re done. Among the bug fixes, the most annoying one addressed a Windows issue where the app would occasionally uninstall itself during updates. Also resolved was a dark mode display problem with the PDF search box becoming unreadable.<\/p>\n\n\n\n If you’re running Notesnook on desktop, update as soon as possible.<\/p>\n\n\n\n \n What else is in 3.3.15<\/h3>\n\n\n\n