Joplinapp Joplin vulnerabilities
15 known vulnerabilities affecting joplinapp/joplin.
Total CVEs
15
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH4MEDIUM9
Vulnerabilities
Page 1 of 1
CVE-2020-15930P3MEDIUMPoC≥ 1.0.190, < 1.1.72021-05-07
CVE-2020-15930 [MEDIUM] CWE-79 Cross-site Scripting in Joplin
Cross-site Scripting in Joplin
An XSS issue in Joplin desktop allows arbitrary code execution via a malicious HTML embed tag.
ghsaosv
CVE-2020-28249P3MEDIUMPoC≥ 0, < 1.3.112021-05-10
CVE-2020-28249 [MEDIUM] CWE-79 Cross-site scripting in Joplin
Cross-site scripting in Joplin
Joplin allows XSS via a LINK element in a note.
ghsaosv
CVE-2022-23340P3CRITICAL≥ 0, < 2.7.12022-02-09
CVE-2022-23340 [CRITICAL] CWE-94 Joplin Vulnerable to Code Injection
Joplin Vulnerable to Code Injection
Joplin prior to version 2.7.1 allows remote attackers to execute system commands through malicious code in user search results.
ghsaosv
CVE-2020-9038P4MEDIUMPoC≥ 0, < 1.2.12020-10-13
CVE-2020-9038 [MEDIUM] CWE-79 Cross-site Scripting in Joplin
Cross-site Scripting in Joplin
Joplin through 1.0.184 allows Arbitrary File Read via Cross-site Scripting (XSS).
ghsaosv
CVE-2022-35131P3CRITICALCVSS 9.0v2.8.82022-07-25
CVE-2022-35131 [CRITICAL] CWE-79 CVE-2022-35131: Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the
Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.
ghsanvdosv
CVE-2024-49362P3HIGH≥ 3.0.0, < 3.1.02024-11-14
CVE-2024-49362 [HIGH] CWE-94 Remote Code Execution on click of <a> Link in markdown preview
Remote Code Execution on click of Link in markdown preview
### Summary
There is a vulnerability in `Joplin-desktop` that leads to remote code execution (RCE) when a user clicks on an `` link within untrusted notes. The issue arises due to insufficient sanitization of `` tag attributes introduced by the `Mermaid`. This vulnerability allows the execution of untrusted HTML content within the Electron windo
ghsaosv
CVE-2022-40277P3HIGHCVSS 7.8v2.8.82022-09-30
CVE-2022-40277 [HIGH] CWE-20 CVE-2022-40277: Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any clien
Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the 'shell.openExternal' function.
ghsanvdosv
CVE-2026-22810P3HIGHCVSS 7.3fixed in 3.5.72026-05-18
CVE-2026-22810 [HIGH] CWE-24 CVE-2026-22810: Joplin is an open source note-taking and to-do application that organises notes and lists into noteb
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's poss
nvd
CVE-2021-23431P3HIGHCVSS 8.8fixed in 2.3.2≥ unspecified, < 2.3.22021-08-24
CVE-2021-23431 [HIGH] CWE-352 CVE-2021-23431: The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing C
The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms.
ghsanvdosv
CVE-2018-1000534P4MEDIUM≥ 0, < 1.0.902022-05-14
CVE-2018-1000534 [MEDIUM] CWE-79 Joplin Vulnerable to Cross-site Scripting in Note Content
Joplin Vulnerable to Cross-site Scripting in Note Content
Joplin version prior to 1.0.90 contains a Cross-site Scripting (XSS) evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.com/laurent22/joplin/commit/494e235e18659574f836f84fcf
ghsaosv
CVE-2021-37916P4MEDIUM≥ 0, < 2.0.92022-05-24
CVE-2021-37916 [MEDIUM] CWE-79 Joplin vulnerable to Cross-site Scripting in notes
Joplin vulnerable to Cross-site Scripting in notes
Joplin before 2.0.9 allows Cross-site Scripting via button and form in the note body.
ghsaosv
CVE-2023-37298P4MEDIUM≥ 0, < 2.11.52023-06-30
CVE-2023-37298 [MEDIUM] CWE-79 Joplin Cross-site Scripting vulnerability
Joplin Cross-site Scripting vulnerability
Joplin before 2.11.5 allows XSS via a USE element in an SVG document.
ghsaosv
CVE-2023-37299P4MEDIUM≥ 0, < 2.11.52023-06-30
CVE-2023-37299 [MEDIUM] CWE-79 Joplin Cross-site Scripting vulnerability
Joplin Cross-site Scripting vulnerability
Joplin before 2.11.5 allows XSS via an AREA element of an image map.
ghsaosv
CVE-2022-45598P4MEDIUM≥ 0, < 2.9.172023-01-31
CVE-2022-45598 [MEDIUM] CWE-79 Joplin Desktop App vulnerable to Cross-site Scripting
Joplin Desktop App vulnerable to Cross-site Scripting
Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization.
ghsaosv
CVE-2021-33295P4MEDIUM≥ 0, < 1.8.52022-06-17
CVE-2021-33295 [MEDIUM] CWE-79 Joplin Cross Site Scripting Vulnerability via NOSCRIPT tags
Joplin Cross Site Scripting Vulnerability via NOSCRIPT tags
Cross Site Scripting (XSS) vulnerability in Joplin Desktop App before 1.8.5 allows attackers to execute aribrary code due to improper sanitizing of html.
ghsaosv