Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Joplin
(Joplin_project)| Repositories | https://github.com/laurent22/joplin |
| #Vulnerabilities | 16 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2025-04-30 | CVE-2025-27134 | Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/:id` to set the `is_admin` field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3. | Joplin | 8.8 | ||
| 2025-04-30 | CVE-2025-27409 | Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The `findLocalFile` function in the `default route` calls `localFileFromUrl` to check for special `pluginAssets` paths. If the function returns a path, the result is returned directly, without checking for path traversal.... | Joplin | 7.5 | ||
| 2024-11-14 | CVE-2024-49362 | Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an <a> link within untrusted notes. The issue arises due to insufficient sanitization of <a> tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution. | Joplin | 9.6 | ||
| 2024-11-25 | CVE-2024-53268 | Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution in Windows environments. This issue has been addressed in version 3.0.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | Joplin | 8.8 | ||
| 2020-02-17 | CVE-2020-9038 | Joplin through 1.0.184 allows Arbitrary File Read via XSS. | Joplin | 5.4 | ||
| 2020-09-24 | CVE-2020-15930 | An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag. | Joplin | 6.1 | ||
| 2020-11-06 | CVE-2020-28249 | Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note. | Joplin | 6.1 | ||
| 2021-08-03 | CVE-2021-37916 | Joplin before 2.0.9 allows XSS via button and form in the note body. | Joplin | 6.1 | ||
| 2022-02-08 | CVE-2022-23340 | Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results. | Joplin | 9.8 | ||
| 2022-06-16 | CVE-2021-33295 | Cross Site Scripting (XSS) vulnerability in Joplin Desktop App before 1.8.5 allows attackers to execute aribrary code due to improper sanitizing of html. | Joplin | 5.4 |