Moderate severityNVD Advisory· Published Aug 2, 2021· Updated Aug 4, 2024

CVE-2021-37916

Description

Joplin before 2.0.9 allows XSS via button and form in the note body.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Joplin before 2.0.9 allows cross-site scripting via button and form HTML elements in note body.

Vulnerability

Joplin before version 2.0.9 fails to filter button and form HTML tags from note content, allowing stored cross-site scripting (XSS) attacks [2][4]. The application sanitizes other dangerous tags like script and iframe, but the list of disallowed tags did not include button and form [4].

Exploitation

An attacker with the ability to create or edit notes can insert HTML containing ` or elements with event handlers (e.g., onclick`) to execute arbitrary JavaScript [2][4]. The malicious note, when viewed by another user, triggers the script in the context of the Joplin application.

Impact

Successful exploitation can lead to arbitrary JavaScript execution in the context of the Joplin application, potentially resulting in data theft, session hijacking, or further attacks on the user's notes and system [2][3].

Mitigation

The vulnerability is fixed in Joplin version 2.0.9, released August 2, 2021 [3]. Users should update to at least this version. No workaround is available for earlier versions.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
joplinnpm	< 2.0.9	2.0.9

Affected products

Joplin/Joplindescription
ghsa-coords
pkg:npm/joplin
Range: < 2.0.9

Patches

feaecf765368

Desktop, Mobile: Filter out form elements from note body to prevent potential XSS (thanks to Dmytro Vdovychinskiy for the PoC)

https://github.com/laurent22/joplinLaurent CozicJun 11, 2021via ghsa

commit

1 file changed · +1 −1

packages/renderer/htmlUtils.ts+1 −1 modified

@@ -158,7 +158,7 @@ class HtmlUtils {
 		// "link" can be used to escape the parser and inject JavaScript.
 		// Adding "meta" too for the same reason as it shouldn't be used in
 		// notes anyway.
-		const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript'];
+		const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript', 'button', 'form', 'input', 'select', 'textarea', 'option', 'optgroup'];
 
 		const parser = new htmlparser2.Parser({

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-mrmf-755g-w2vwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-37916ghsaADVISORY
github.com/laurent22/joplin/commit/feaecf765368f2c273bea3a9fa641ff0da7e6b26ghsax_refsource_MISCWEB
github.com/laurent22/joplin/releases/tag/v2.0.9ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000