Moderate severityNVD Advisory· Published Nov 6, 2020· Updated Aug 4, 2024

CVE-2020-28249

Description

Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Joplin Desktop 1.2.6 is vulnerable to stored XSS via a LINK element in a note, allowing arbitrary JavaScript execution.

CVE-2020-28249 is a stored cross-site scripting (XSS) vulnerability in Joplin Desktop version 1.2.6. The application fails to sanitize the ` HTML element within note content, allowing an attacker to inject arbitrary JavaScript. The root cause is an incomplete denylist of disallowed tags; while tags like script and iframe were blocked, link` was permitted [1][3].

To exploit this vulnerability, an attacker crafts a note containing a malicious ` tag, such as ` or similar payloads that execute JavaScript when the note is rendered. No user interaction beyond opening or viewing the note is required, as the XSS fires automatically in the desktop application's rendering engine [3].

Impact is high: an attacker can execute arbitrary JavaScript in the context of the Joplin application, potentially leading to theft of note data, session tokens, or further compromise of the user's system. Joplin note data may include sensitive information, making this a critical confidentiality and integrity risk.

A fix was released in Joplin version 1.3.11, which adds ` and ` to the disallowed tags list [2][4]. Users should update to at least this version. No workarounds are documented; users of version 1.2.6 are advised to upgrade immediately.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
joplinnpm	< 1.3.11	1.3.11

Affected products

Joplin/Joplin for Desktopdescription
ghsa-coords
pkg:npm/joplin
Range: < 1.3.11

Patches

fd90a490c0e5

All: Security: Remove "link" and "meta" tags from notes to prevent XSS

https://github.com/laurent22/joplinLaurent CozicOct 29, 2020via ghsa

commit

1 file changed · +10 −5

ReactNativeClient/lib/joplin-renderer/htmlUtils.js+10 −5 modified

@@ -87,11 +87,16 @@ class HtmlUtils {
 			return tagStack[tagStack.length - 1];
 		};
 
-		// The BASE tag allows changing the base URL from which files are loaded, and
-		// that can break several plugins, such as Katex (which needs to load CSS
-		// files using a relative URL). For that reason it is disabled.
-		// More info: https://github.com/laurent22/joplin/issues/3021
-		const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed'];
+		// The BASE tag allows changing the base URL from which files are
+		// loaded, and that can break several plugins, such as Katex (which
+		// needs to load CSS files using a relative URL). For that reason
+		// it is disabled. More info:
+		// https://github.com/laurent22/joplin/issues/3021
+		//
+		// "link" can be used to escape the parser and inject JavaScript.
+		// Adding "meta" too for the same reason as it shouldn't be used in
+		// notes anyway.
+		const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta'];
 
 		const parser = new htmlparser2.Parser({

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-q26w-wjj2-22vvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-28249ghsaADVISORY
github.com/laurent22/joplin/commit/fd90a490c0e5cacd17bfe0ffc422be1d2a9b1c13ghsaWEB
github.com/laurent22/joplin/releases/tag/v1.3.11ghsaWEB
www.npmjs.com/package/joplinghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000