Joplin
Products
1- Joplin21 CVEsnpm
Recent CVEs
21| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-45673 | Hig | 0.58 | 8.9 | 0.01 | Jun 21, 2024 | Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code… | ||
| CVE-2022-23340 | Cri | 0.57 | 9.8 | 0.02 | Feb 8, 2022 | Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results. | ||
| CVE-2024-40643 | Cri | 0.55 | 9.6 | 0.01 | Sep 9, 2024 | Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag. | ||
| CVE-2023-38506 | Hig | 0.53 | 8.2 | 0.00 | Jun 21, 2024 | Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As… | ||
| CVE-2023-37898 | Hig | 0.53 | 8.2 | 0.00 | Jun 21, 2024 | Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with … | ||
| CVE-2022-35131 | Cri | 0.52 | 9.0 | 0.02 | Jul 25, 2022 | Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles. | ||
| CVE-2022-40277 | Hig | 0.51 | 7.8 | 0.00 | Sep 30, 2022 | Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the… | ||
| CVE-2024-49362 | Hig | 0.50 | 7.7 | 0.01 | Nov 14, 2024 | Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an link within untrusted notes. The issue arises due to insufficient sanitization of tag attributes… | ||
| CVE-2024-53268 | Hig | 0.47 | 7.2 | 0.01 | Nov 25, 2024 | Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution… | ||
| CVE-2026-22810 | Hig | 0.46 | 8.2 | 0.00 | May 18, 2026 | Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the… | ||
| CVE-2023-37299 | Med | 0.33 | 6.1 | 0.01 | Jun 30, 2023 | Joplin before 2.11.5 allows XSS via an AREA element of an image map. | ||
| CVE-2023-37298 | Med | 0.33 | 6.1 | 0.01 | Jun 30, 2023 | Joplin before 2.11.5 allows XSS via a USE element in an SVG document. | ||
| CVE-2026-34600 | Med | 0.30 | 5.7 | 0.00 | May 19, 2026 | Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully… | ||
| CVE-2025-57798 | Med | 0.29 | 5.5 | 0.00 | May 19, 2026 | Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an… | ||
| CVE-2021-23431 | Med | 0.28 | 5.4 | 0.00 | Aug 24, 2021 | The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms. | ||
| CVE-2025-27409 | Hig | 0.00 | 7.5 | 0.01 | Apr 30, 2025 | Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The… | ||
| CVE-2025-27134 | Hig | 0.00 | 8.8 | 0.02 | Apr 30, 2025 | Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint… | ||
| CVE-2025-25187 | Hig | 0.00 | 7.8 | 0.00 | Feb 7, 2025 | Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML entities.… | ||
| CVE-2025-24028 | Hig | 0.00 | 7.8 | 0.00 | Feb 7, 2025 | Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects… | ||
| CVE-2024-55630 | Low | 0.00 | 3.3 | 0.00 | Feb 7, 2025 | Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Joplin's HTML sanitizer allows the `name` attribute to be specified. If `name` is set to the same value as an existing `document` property (e.g.… |
- risk 0.58cvss 8.9epss 0.01
Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code…
- risk 0.57cvss 9.8epss 0.02
Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results.
- risk 0.55cvss 9.6epss 0.01
Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag.
- risk 0.53cvss 8.2epss 0.00
Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As…
- risk 0.53cvss 8.2epss 0.00
Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with …
- risk 0.52cvss 9.0epss 0.02
Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.
- risk 0.51cvss 7.8epss 0.00
Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the…
- risk 0.50cvss 7.7epss 0.01
Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an link within untrusted notes. The issue arises due to insufficient sanitization of tag attributes…
- risk 0.47cvss 7.2epss 0.01
Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution…
- risk 0.46cvss 8.2epss 0.00
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the…
- risk 0.33cvss 6.1epss 0.01
Joplin before 2.11.5 allows XSS via an AREA element of an image map.
- risk 0.33cvss 6.1epss 0.01
Joplin before 2.11.5 allows XSS via a USE element in an SVG document.
- risk 0.30cvss 5.7epss 0.00
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully…
- risk 0.29cvss 5.5epss 0.00
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an…
- risk 0.28cvss 5.4epss 0.00
The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms.
- risk 0.00cvss 7.5epss 0.01
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The…
- risk 0.00cvss 8.8epss 0.02
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint…
- risk 0.00cvss 7.8epss 0.00
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML entities.…
- risk 0.00cvss 7.8epss 0.00
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects…
- risk 0.00cvss 3.3epss 0.00
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Joplin's HTML sanitizer allows the `name` attribute to be specified. If `name` is set to the same value as an existing `document` property (e.g.…