VYPR
Vendor

Joplin

Products
1
CVEs
21
Across products
21
Status
Private

Products

1

Recent CVEs

21
View all 21 CVEs →
  • CVE-2023-45673HigJun 21, 2024
    risk 0.58cvss 8.9epss 0.01

    Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code…

  • CVE-2022-23340CriFeb 8, 2022
    risk 0.57cvss 9.8epss 0.02

    Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results.

  • CVE-2024-40643CriSep 9, 2024
    risk 0.55cvss 9.6epss 0.01

    Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag.

  • CVE-2023-38506HigJun 21, 2024
    risk 0.53cvss 8.2epss 0.00

    Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As…

  • CVE-2023-37898HigJun 21, 2024
    risk 0.53cvss 8.2epss 0.00

    Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with …

  • CVE-2022-35131CriJul 25, 2022
    risk 0.52cvss 9.0epss 0.02

    Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.

  • CVE-2022-40277HigSep 30, 2022
    risk 0.51cvss 7.8epss 0.00

    Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the…

  • CVE-2024-49362HigNov 14, 2024
    risk 0.50cvss 7.7epss 0.01

    Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an link within untrusted notes. The issue arises due to insufficient sanitization of tag attributes…

  • CVE-2024-53268HigNov 25, 2024
    risk 0.47cvss 7.2epss 0.01

    Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution…

  • CVE-2026-22810HigMay 18, 2026
    risk 0.46cvss 8.2epss 0.00

    Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the…

  • CVE-2023-37299MedJun 30, 2023
    risk 0.33cvss 6.1epss 0.01

    Joplin before 2.11.5 allows XSS via an AREA element of an image map.

  • CVE-2023-37298MedJun 30, 2023
    risk 0.33cvss 6.1epss 0.01

    Joplin before 2.11.5 allows XSS via a USE element in an SVG document.

  • CVE-2026-34600MedMay 19, 2026
    risk 0.30cvss 5.7epss 0.00

    Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully…

  • CVE-2025-57798MedMay 19, 2026
    risk 0.29cvss 5.5epss 0.00

    Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an…

  • CVE-2021-23431MedAug 24, 2021
    risk 0.28cvss 5.4epss 0.00

    The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms.

  • CVE-2025-27409HigApr 30, 2025
    risk 0.00cvss 7.5epss 0.01

    Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The…

  • CVE-2025-27134HigApr 30, 2025
    risk 0.00cvss 8.8epss 0.02

    Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint…

  • CVE-2025-25187HigFeb 7, 2025
    risk 0.00cvss 7.8epss 0.00

    Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML entities.…

  • CVE-2025-24028HigFeb 7, 2025
    risk 0.00cvss 7.8epss 0.00

    Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects…

  • CVE-2024-55630LowFeb 7, 2025
    risk 0.00cvss 3.3epss 0.00

    Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Joplin's HTML sanitizer allows the `name` attribute to be specified. If `name` is set to the same value as an existing `document` property (e.g.…

VYPR — Vulnerability Intelligence