Joplin Project Joplin vulnerabilities
22 known vulnerabilities affecting joplin_project/joplin.
Total CVEs
22
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH3MEDIUM14
Vulnerabilities
Page 1 of 2
CVE-2025-27134P2HIGHCVSS 8.8PoCfixed in 3.3.32025-04-30
CVE-2025-27134 [HIGH] CWE-284 CVE-2025-27134: Joplin is a free, open source note taking and to-do application, which can handle a large number of
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/:id` to set the `is_admin` field to 1. The vulnerability allo
nvd
CVE-2020-15930P3MEDIUMCVSS 6.1PoC≥ 1.0.190, ≤ 1.0.2452020-09-24
CVE-2020-15930 [MEDIUM] CWE-79 CVE-2020-15930: An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HT
An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
nvd
CVE-2022-23340P3CRITICALCVSS 9.8v2.6.102022-02-08
CVE-2022-23340 [CRITICAL] CVE-2022-23340: Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user sear
Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results.
nvd
CVE-2020-28249P3MEDIUMCVSS 6.1PoCv1.2.62020-11-06
CVE-2020-28249 [MEDIUM] CWE-79 CVE-2020-28249: Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note.
Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note.
nvd
CVE-2023-45673P3CRITICALCVSS 9.0fixed in 2.13.32024-06-21
CVE-2023-45673 [CRITICAL] CWE-94 CVE-2023-45673: Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulne
Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note
nvd
CVE-2020-9038P4MEDIUMCVSS 5.4PoC≤ 1.0.1842020-02-17
CVE-2020-9038 [MEDIUM] CWE-79 CVE-2020-9038: Joplin through 1.0.184 allows Arbitrary File Read via XSS.
Joplin through 1.0.184 allows Arbitrary File Read via XSS.
nvd
CVE-2024-49362P3CRITICALCVSS 9.6fixed in 3.12024-11-14
CVE-2024-49362 [CRITICAL] CWE-94 CVE-2024-49362: Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability
Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an link within untrusted notes. The issue arises due to insufficient sanitization of tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML co
nvd
CVE-2024-53268P3HIGHCVSS 8.8fixed in 3.0.32024-11-25
CVE-2024-53268 [HIGH] CWE-94 CVE-2024-53268: Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS,
Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution in Windows environments. This issue has been addressed in version 3.0.3 and
nvd
CVE-2025-24028P3CRITICALCVSS 9.6fixed in 3.2.122025-02-07
CVE-2025-24028 [CRITICAL] CWE-79 CVE-2025-24028: Joplin is a free, open source note taking and to-do application, which can handle a large number of
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the
nvd
CVE-2025-27409P3HIGHCVSS 7.5fixed in 3.3.32025-04-30
CVE-2025-27409 [HIGH] CWE-22 CVE-2025-27409: Joplin is a free, open source note taking and to-do application, which can handle a large number of
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The `findLocalFile` function in the `default route` calls `localFileFromUrl` to ch
nvd
CVE-2024-40643P3CRITICALCVSS 9.6fixed in 3.0.152024-09-09
CVE-2024-40643 [CRITICAL] CWE-79 CVE-2024-40643: Joplin is a free, open source note taking and to-do application. Joplin fails to take into account t
Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag.
nvd
CVE-2025-25187P4MEDIUMCVSS 5.4fixed in 3.1.242025-02-07
CVE-2025-25187 [MEDIUM] CWE-79 CVE-2025-25187: Joplin is a free, open source note taking and to-do application, which can handle a large number of
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. Thi
nvd
CVE-2018-1000534P4MEDIUMCVSS 6.1fixed in 1.0.902018-06-26
CVE-2018-1000534 [MEDIUM] CWE-79 CVE-2018-1000534: Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegr
Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.com/laurent22/joplin/commit/494e235e18659574f836f84fcf9f4d4fcdcfcf89 that c
nvd
CVE-2023-39517P4MEDIUMCVSS 5.4fixed in 2.12.82024-06-21
CVE-2023-39517 [MEDIUM] CWE-79 CVE-2023-39517: Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulner
Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (`packages/renderer/htmlUtils.ts::sanitizeHtml`) preserves `` `` links. However, unlike `` links, the `target` and `href` at
nvd
CVE-2023-37898P4MEDIUMCVSS 5.4fixed in 2.12.92024-06-21
CVE-2023-37898 [MEDIUM] CWE-79 CVE-2023-37898: Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulner
Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with and , without escaping any interior HTML tags. Thus, an attacker can create a n
nvd
CVE-2023-38506P4MEDIUMCVSS 5.4fixed in 2.12.102024-06-21
CVE-2023-38506 [MEDIUM] CWE-79 CVE-2023-38506: Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulner
Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code.
nvd
CVE-2021-37916P4MEDIUMCVSS 6.1fixed in 2.0.92021-08-03
CVE-2021-37916 [MEDIUM] CWE-79 CVE-2021-37916: Joplin before 2.0.9 allows XSS via button and form in the note body.
Joplin before 2.0.9 allows XSS via button and form in the note body.
nvd
CVE-2023-37298P4MEDIUMCVSS 6.1fixed in 2.11.52023-06-30
CVE-2023-37298 [MEDIUM] CWE-79 CVE-2023-37298: Joplin before 2.11.5 allows XSS via a USE element in an SVG document.
Joplin before 2.11.5 allows XSS via a USE element in an SVG document.
nvd
CVE-2023-37299P4MEDIUMCVSS 6.1fixed in 2.11.52023-06-30
CVE-2023-37299 [MEDIUM] CWE-79 CVE-2023-37299: Joplin before 2.11.5 allows XSS via an AREA element of an image map.
Joplin before 2.11.5 allows XSS via an AREA element of an image map.
nvd
CVE-2022-45598P4MEDIUMCVSS 6.1fixed in 2.9.172023-01-31
CVE-2022-45598 [MEDIUM] CWE-79 CVE-2022-45598: Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute a
Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization.
nvd
1 / 2Next →