CVE-2020-15930
Description
An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Joplin desktop 1.0.190–1.0.245 allows XSS via malicious HTML embed tags, potentially leading to arbitrary code execution.
Vulnerability
Overview
The Joplin desktop note‑taking application, versions 1.0.190 through 1.0.245, contains a cross‑site scripting (XSS) vulnerability in its rich‑text rendering engine. The root cause is that the HTML sanitizer allowed `` tags, which can be used to inject arbitrary HTML and execute JavaScript in the context of the application’s note viewer. This issue is tracked as CVE‑2020‑15930 [1][3].
Attack
Vector
An attacker can exploit this by crafting a malicious note containing an ` tag with a src` attribute pointing to a controlled script or payload. When the victim opens or views the note in the Joplin desktop client, the embedded content is loaded and executed without proper sanitization. No authentication or additional privileges beyond the ability to create or import notes are required; the vulnerability is triggered purely through the note viewing process [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the note viewer’s context. This can lead to data exfiltration, manipulation of note content, or other actions limited only by the capabilities of the Joplin application runtime. In practice, this could be leveraged to steal credentials, access synced data, or perform further attacks against the user’s system, given that the note viewer operates within the Electron environment [1][2][4].
Mitigation
The vulnerability was fixed in Joplin version 1.1.4, released on September 22, 2020. The patch adds embed to the list of disallowed HTML tags (disallowedTags) in the sanitizer, preventing the tag from being rendered [3][4]. Users should upgrade to v1.1.4 or later. No official workaround is available for earlier versions; the only safe mitigation is upgrading.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
joplinnpm | >= 1.0.190, < 1.1.7 | 1.1.7 |
Affected products
2- Joplin/Joplin desktopdescription
Patches
157d750bc9aebAll: Security: Disallow EMBED tags to prevent XSS vulnerability
1 file changed · +1 −1
ReactNativeClient/lib/joplin-renderer/htmlUtils.js+1 −1 modified@@ -91,7 +91,7 @@ class HtmlUtils { // that can break several plugins, such as Katex (which needs to load CSS // files using a relative URL). For that reason it is disabled. // More info: https://github.com/laurent22/joplin/issues/3021 - const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base']; + const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed']; const parser = new htmlparser2.Parser({
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-cgc7-mwp4-3ccxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15930ghsaADVISORY
- packetstormsecurity.com/files/159316/Joplin-1.0.245-Cross-Site-Scripting-Code-Execution.htmlghsax_refsource_MISCWEB
- github.com/laurent22/joplin/commit/57d750bc9aeb0f98d53ed4b924458b54984c15ffghsaWEB
- github.com/laurent22/joplin/issues/3552ghsax_refsource_MISCWEB
- github.com/laurent22/joplin/releases/tag/v1.1.4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.