cbcvebase.

Laurent22 Joplin vulnerabilities

15 known vulnerabilities affecting laurent22/joplin.

Total CVEs
15
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH4MEDIUM7

Vulnerabilities

Page 1 of 1
CVE-2025-27134P2HIGHCVSS 8.8PoCfixed in 3.3.32025-04-30
CVE-2025-27134 [HIGH] CWE-284 CVE-2025-27134: Joplin is a free, open source note taking and to-do application, which can handle a large number of Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/:id` to set the `is_admin` field to 1. The vulnerability allo
nvd
CVE-2023-45673P3CRITICALCVSS 9.0fixed in 2.13.32024-06-21
CVE-2023-45673 [CRITICAL] CWE-94 CVE-2023-45673: Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulne Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note
nvd
CVE-2024-49362P3CRITICALCVSS 9.6fixed in 3.12024-11-14
CVE-2024-49362 [CRITICAL] CWE-94 CVE-2024-49362: Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an link within untrusted notes. The issue arises due to insufficient sanitization of tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML co
nvd
CVE-2024-53268P3HIGHCVSS 8.8fixed in 3.0.32024-11-25
CVE-2024-53268 [HIGH] CWE-94 CVE-2024-53268: Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution in Windows environments. This issue has been addressed in version 3.0.3 and
nvd
CVE-2025-24028P3CRITICALCVSS 9.6v>= 3.2.6, < 3.2.122025-02-07
CVE-2025-24028 [CRITICAL] CWE-79 CVE-2025-24028: Joplin is a free, open source note taking and to-do application, which can handle a large number of Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the
nvd
CVE-2025-27409P3HIGHCVSS 7.5fixed in 3.3.32025-04-30
CVE-2025-27409 [HIGH] CWE-22 CVE-2025-27409: Joplin is a free, open source note taking and to-do application, which can handle a large number of Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The `findLocalFile` function in the `default route` calls `localFileFromUrl` to ch
nvd
CVE-2026-22810P3HIGHCVSS 7.3fixed in 3.5.72026-05-18
CVE-2026-22810 [HIGH] CWE-24 CVE-2026-22810: Joplin is an open source note-taking and to-do application that organises notes and lists into noteb Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's poss
nvd
CVE-2024-40643P3CRITICALCVSS 9.6fixed in 3.0.152024-09-09
CVE-2024-40643 [CRITICAL] CWE-79 CVE-2024-40643: Joplin is a free, open source note taking and to-do application. Joplin fails to take into account t Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag.
nvd
CVE-2026-34600P4MEDIUMCVSS 5.7fixed in 3.5.32026-05-19
CVE-2026-34600 [MEDIUM] CWE-200 CVE-2026-34600: Joplin is an open source note-taking and to-do application that organises notes and lists into noteb Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior patch in #14289. In ChangeModel.delta, when DELTA_INC
nvd
CVE-2025-25187P4MEDIUMCVSS 5.4fixed in 3.1.242025-02-07
CVE-2025-25187 [MEDIUM] CWE-79 CVE-2025-25187: Joplin is a free, open source note taking and to-do application, which can handle a large number of Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. Thi
nvd
CVE-2023-39517P4MEDIUMCVSS 5.4fixed in 2.12.82024-06-21
CVE-2023-39517 [MEDIUM] CWE-79 CVE-2023-39517: Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulner Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (`packages/renderer/htmlUtils.ts::sanitizeHtml`) preserves `` `` links. However, unlike `` links, the `target` and `href` at
nvd
CVE-2023-37898P4MEDIUMCVSS 5.4fixed in 2.12.92024-06-21
CVE-2023-37898 [MEDIUM] CWE-79 CVE-2023-37898: Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulner Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with and , without escaping any interior HTML tags. Thus, an attacker can create a n
nvd
CVE-2023-38506P4MEDIUMCVSS 5.4fixed in 2.12.102024-06-21
CVE-2023-38506 [MEDIUM] CWE-79 CVE-2023-38506: Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulner Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code.
nvd
CVE-2025-57798P4MEDIUMCVSS 5.5fixed in 3.7.12026-05-19
CVE-2025-57798 [MEDIUM] CWE-770 CVE-2025-57798: Joplin is an open source note-taking and to-do application that organises notes and lists into noteb Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an attacker to cause an Out Of Memory (OOM) error and subsequent program termi
nvd
CVE-2024-55630P4MEDIUMCVSS 5.5fixed in 3.2.82025-02-07
CVE-2024-55630 [MEDIUM] CWE-20 CVE-2024-55630: Joplin is a free, open source note taking and to-do application, which can handle a large number of Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Joplin's HTML sanitizer allows the `name` attribute to be specified. If `name` is set to the same value as an existing `document` property (e.g. `querySelector`), that property is replaced with the element. This vulnerabi
nvd
Laurent22 Joplin vulnerabilities | cvebase