CVE-2021-33295
Description
Cross Site Scripting (XSS) vulnerability in Joplin Desktop App before 1.8.5 allows attackers to execute aribrary code due to improper sanitizing of html.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Joplin Desktop App before 1.8.5 due to improper HTML sanitization allows arbitrary code execution via crafted note content.
Vulnerability
Overview
CVE-2021-33295 is a stored cross-site scripting (XSS) vulnerability in the Joplin Desktop App prior to version 1.8.5. The root cause is improper sanitization of HTML content within note bodies, allowing an attacker to inject arbitrary scripts [1][2]. The vulnerability was discovered by Jubair Rehman Yousafzai, who demonstrated a payload using the `` tag to bypass sanitization [3].
Exploitation
To exploit the vulnerability, an attacker must craft a note containing malicious HTML, such as <p title="">. When a victim opens the note and toggles the view (e.g., by clicking the toggle button twice), the payload executes in the context of the Joplin application [3]. No special privileges are required; the attacker only needs the ability to create or import notes into the victim's Joplin instance.
Impact
Successful exploitation allows arbitrary JavaScript execution within the Joplin desktop environment. This could lead to theft of sensitive note data, session hijacking, or further compromise of the user's system, depending on the capabilities exposed to the application's web view [2][3].
Mitigation
The Joplin team addressed the issue in version 1.8.5, released on May 10, 2021 [4]. Users are strongly advised to update to the latest version. No workarounds are documented; the fix involves improved HTML sanitization to prevent XSS attacks.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
joplinnpm | < 1.8.5 | 1.8.5 |
Affected products
2- Joplin/Joplin Desktop Appdescription
Patches
19c20d5947d1fAll: Security: Filter out NOSCRIPT tags that could be used to cause an XSS (thanks to Jubair Rehman for the PoC)
1 file changed · +2 −2
packages/renderer/htmlUtils.ts+2 −2 modified@@ -133,7 +133,7 @@ class HtmlUtils { return output.join('').replace(/\s+/g, ' '); } - sanitizeHtml(html: string, options: any = null) { + public sanitizeHtml(html: string, options: any = null) { options = Object.assign({}, { // If true, adds a "jop-noMdConv" class to all the tags. // It can be used afterwards to restore HTML tags in Markdown. @@ -158,7 +158,7 @@ class HtmlUtils { // "link" can be used to escape the parser and inject JavaScript. // Adding "meta" too for the same reason as it shouldn't be used in // notes anyway. - const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta']; + const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript']; const parser = new htmlparser2.Parser({
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-phj8-2p6x-hq5rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33295ghsaADVISORY
- github.com/laurent22/joplin/commit/9c20d5947d1fa4678a8b640792ff3d31224f0adfghsax_refsource_MISCWEB
- github.com/laurent22/joplin/releases/tag/v1.8.5ghsax_refsource_MISCWEB
- the-it-wonders.blogspot.com/2021/05/joplin-app-desktop-version-vulnerable.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.