Aggregates CVE and security vulnerability intelligence across all joplin_project-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting, vendor risk path handling, and vendor risk input validation and related problems; some flaws may lead to vendor impact unexpected behavior.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-27409 | Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The `findLocalFile` function in the `default route` calls `localFileFromUrl` to check for special `pluginAssets` paths. If the function returns a path, the result is returned directly, without checking for path traversal. The v | [email protected] | 7.5 | 0.55% | 2025-04-30 | 2025-05-16 |
| CVE-2025-27134 | Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/:id` to set the `is_admin` field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3. | [email protected] | 8.8 | 1.70% | 2025-04-30 | 2025-05-16 |
| CVE-2025-25187 | Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. This allows arbitrary JavaScript execution via inline `onclick`/`onload` event handlers in unsanitized HTML. Additionally, Joplin's main window is cre | [email protected] | 7.8 | 0.44% | 2025-02-07 | 2025-04-11 |
| CVE-2025-24028 | Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is `cross-origin isolated`, which prevents JavaScript from directly accessing functions/variables in the toplev | [email protected] | 7.8 | 0.48% | 2025-02-07 | 2025-04-18 |
| CVE-2024-55630 | Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Joplin's HTML sanitizer allows the `name` attribute to be specified. If `name` is set to the same value as an existing `document` property (e.g. `querySelector`), that property is replaced with the element. This vulnerability's only known impact is denial of service. The note viewer fails to refresh until closed and re-opened with a different note. This issue has be | [email protected] | 3.3 | 0.31% | 2025-02-07 | 2025-04-18 |
| CVE-2024-53268 | Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution in Windows environments. This issue has been addressed in version 3.0.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | [email protected] | 7.2 | 0.75% | 2024-11-25 | 2025-05-07 |
| CVE-2024-49362 | Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an <a> link within untrusted notes. The issue arises due to insufficient sanitization of <a> tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution. | [email protected] | 7.7 | 1.04% | 2024-11-14 | 2025-05-07 |
| CVE-2024-40643 | Joplin is a free, open source note taking and to-do application. Joplin fails to take into account that "<" followed by a non letter character will not be considered html. As such it is possible to do an XSS by putting an "illegal" tag within a tag. | [email protected] | 9.6 | 0.73% | 2024-09-09 | 2024-09-17 |
| CVE-2023-45673 | Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note viewer iframes, and 2. and has node integration enabled. This is a remote code execution vulnerability that impacts anyone who attaches untrusted PDF | [email protected] | 8.9 | 1.03% | 2024-06-21 | 2025-04-11 |
| CVE-2023-39517 | Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (`packages/renderer/htmlUtils.ts::sanitizeHtml`) preserves `<map>` `<area>` links. However, unlike `<a>` links, the `target` and `href` attributes are not removed. Additionally, because the note preview pane isn't sandboxed to prevent top navigation, links with `target` s | [email protected] | 8.2 | 0.48% | 2024-06-21 | 2024-11-21 |
| CVE-2023-38506 | Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS's `require` through the `top` variable. From t | [email protected] | 8.2 | 0.42% | 2024-06-21 | 2025-04-11 |
| CVE-2023-37898 | Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with <pre> and </pre>, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening <pre> tag, then includes HTML that runs JavaScript. Because the rendered markdown iframe has the same origin | [email protected] | 8.2 | 0.43% | 2024-06-21 | 2025-04-11 |
| CVE-2023-37299 | Joplin before 2.11.5 allows XSS via an AREA element of an image map. | [email protected] | 6.1 | 0.49% | 2023-06-30 | 2024-11-21 |
| CVE-2023-37298 | Joplin before 2.11.5 allows XSS via a USE element in an SVG document. | [email protected] | 6.1 | 0.49% | 2023-06-30 | 2024-11-21 |
| CVE-2022-45598 | Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization. | [email protected] | 6.1 | 0.50% | 2023-01-31 | 2025-03-27 |
| CVE-2021-33295 | Cross Site Scripting (XSS) vulnerability in Joplin Desktop App before 1.8.5 allows attackers to execute aribrary code due to improper sanitizing of html. | [email protected] | 5.4 | 0.79% | 2022-06-16 | 2024-11-21 |
| CVE-2022-23340 | Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results. | [email protected] | 9.8 | 1.48% | 2022-02-08 | 2024-11-21 |
| CVE-2021-37916 | Joplin before 2.0.9 allows XSS via button and form in the note body. | [email protected] | 6.1 | 0.73% | 2021-08-03 | 2024-11-21 |
| CVE-2020-28249 | Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note. | [email protected] | 6.1 | 3.03% | 2020-11-06 | 2024-11-21 |
| CVE-2020-15930 | An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag. | [email protected] | 6.1 | 4.20% | 2020-09-24 | 2024-11-21 |