joplin
npm14 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting joplinpage 1 of 1
- CVE-2018-1000534MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.0.902018-06-26
Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix…
- CVE-2020-15930MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.1.72020-09-24
An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
- CVE-2020-28249MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.3.112020-11-06
Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note.
- CVE-2020-9038MEDIUMCVSS 5.4EG 5.4✓ Fixed in 1.2.12020-02-17
Joplin through 1.0.184 allows Arbitrary File Read via XSS.
- CVE-2021-23431MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.22021-08-24
The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms.
- CVE-2021-33295MEDIUMCVSS 5.4EG 5.4✓ Fixed in 1.8.52022-06-16
Cross Site Scripting (XSS) vulnerability in Joplin Desktop App before 1.8.5 allows attackers to execute aribrary code due to improper sanitizing of html.
- CVE-2021-37916MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.0.92021-08-03
Joplin before 2.0.9 allows XSS via button and form in the note body.
- CVE-2022-23340CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.12022-02-08
Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results.
- CVE-2022-35131CRITICALCVSS 9.0EG 9.0✓ Fixed in 2.9.12022-07-25
Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.
- CVE-2022-40277HIGHCVSS 7.8EG 7.82022-09-30
Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schem…
- CVE-2022-45598MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.9.172023-01-31
Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization.
- CVE-2023-37298MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.11.52023-06-30
Joplin before 2.11.5 allows XSS via a USE element in an SVG document.
- CVE-2023-37299MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.11.52023-06-30
Joplin before 2.11.5 allows XSS via an AREA element of an image map.
- CVE-2024-49362HIGHCVSS 7.7EG 7.7✓ Fixed in 3.1.02024-11-14
vulnerable: 3.0.0
Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an <a> link within untrusted notes. The issue arises due to insufficient sa…
Check whether joplin is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for joplin CVEs against the assets you own.
Start Free Scan →