Moderate severityNVD Advisory· Published Jun 30, 2023· Updated Nov 27, 2024

CVE-2023-37298

Description

Joplin before 2.11.5 allows XSS via a USE element in an SVG document.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Joplin before 2.11.5 allows XSS via a USE element in an SVG document within notes.

Vulnerability

Analysis

CVE-2023-37298 describes a stored cross-site scripting (XSS) vulnerability in Joplin, an open-source note-taking application, that affects versions prior to 2.11.5. The root cause is that Joplin's HTML sanitizer did not disable SVG tag support, allowing an attacker to inject a `` element within an SVG document. This element can reference external resources, potentially executing arbitrary JavaScript in the context of a user's session when the note is viewed.

Exploitation

An attacker would need to craft a malicious note containing an SVG document with a ` element, such as `. This can be delivered to a victim via any note-sharing mechanism within Joplin (e.g., shared notebooks or synced notes). No authentication beyond the normal note access is required, making it a stored XSS vector. The vulnerability is triggered when the note is rendered in the Joplin application, as the sanitizer did not filter out SVG tags before version 2.11.5 [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser or Joplin desktop/mobile client context. This could lead to theft of sensitive note content, session tokens, or further manipulation of the application. The severity is considered medium (CVSS 6.1) due to the requirement for user interaction (viewing the note) and the application's note-sharing functionality [2].

Mitigation

The vulnerability is fixed in Joplin version 2.11.5, where the SVG tag was added to the list of disallowed HTML tags in the sanitizer, as seen in the commit caf66068bfc474bbfd505013076ed173cd90ca83 [3][4]. Users should update to at least version 2.11.5. For those unable to upgrade, disabling HTML rendering in notes or avoiding SVG content may serve as workarounds, though updating is the recommended action.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
joplinnpm	< 2.11.5	2.11.5

Affected products

Joplin/Joplindescription
ghsa-coords
pkg:npm/joplin
Range: < 2.11.5

Patches

caf66068bfc4

Desktop, Mobile: Security: Disable SVG tag support in editor to prevent XSS

https://github.com/laurent22/joplinLaurent CozicMay 17, 2023via ghsa

commit

4 files changed · +13 −7

packages/app-cli/tests/md_to_html/sanitize_15.html+1 −0 added

@@ -0,0 +1 @@
+<use href="data:image/svg+xml,&lt;svg id=&apos;x&apos; xmlns=&apos;http://www.w3.org/2000/svg&apos;&gt;&lt;image href=&apos;asdf&apos; onerror=&apos;top.require(`child_process`).execSync(`calc.exe`)&apos; /&gt;&lt;/svg&gt;#x" class="jop-noMdConv">
\ No newline at end of file

packages/app-cli/tests/md_to_html/sanitize_15.md+1 −0 added

@@ -0,0 +1 @@
+<svg><use href="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg'&gt;&lt;image href='asdf' onerror='top.require(`child_process`).execSync(`calc.exe`)' /&gt;&lt;/svg&gt;#x" />
\ No newline at end of file

packages/app-cli/tests/MdToHtml.ts+1 −1 modified

@@ -35,7 +35,7 @@ describe('MdToHtml', () => {
 			const mdFilePath = `${basePath}/${mdFilename}`;
 			const htmlPath = `${basePath}/${filename(mdFilePath)}.html`;
 
-			// if (mdFilename !== 'sanitize_9.md') continue;
+			if (mdFilename !== 'sanitize_15.md') continue;
 
 			const mdToHtmlOptions: any = {
 				bodyOnly: true,

packages/renderer/htmlUtils.ts+10 −6 modified

@@ -183,17 +183,21 @@ class HtmlUtils {
 
 		// The BASE tag allows changing the base URL from which files are
 		// loaded, and that can break several plugins, such as Katex (which
-		// needs to load CSS files using a relative URL). For that reason
-		// it is disabled. More info:
-		// https://github.com/laurent22/joplin/issues/3021
+		// needs to load CSS files using a relative URL). For that reason it is
+		// disabled. More info: https://github.com/laurent22/joplin/issues/3021
 		//
-		// "link" can be used to escape the parser and inject JavaScript.
-		// Adding "meta" too for the same reason as it shouldn't be used in
-		// notes anyway.
+		// "link" can be used to escape the parser and inject JavaScript. Adding
+		// "meta" too for the same reason as it shouldn't be used in notes
+		// anyway.
+		//
+		// There are too many issues with SVG tags and to handle them properly
+		// we should parse them separately. Currently we are not so it is better
+		// to disable them. SVG graphics are still supported via the IMG tag.
 		const disallowedTags = [
 			'script', 'iframe', 'frameset', 'frame', 'object', 'base',
 			'embed', 'link', 'meta', 'noscript', 'button', 'form',
 			'input', 'select', 'textarea', 'option', 'optgroup',
+			'svg',
 		];
 
 		const parser = new htmlparser2.Parser({

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-7grw-xfx6-qhx6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-37298ghsaADVISORY
github.com/laurent22/joplin/commit/caf66068bfc474bbfd505013076ed173cd90ca83ghsaWEB
github.com/laurent22/joplin/releases/tag/v2.11.5ghsaWEB
vuln.ryotak.net/advisories/69ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000