Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package joplin, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (14)
CVE-2022-23340 — CVSS 9.8 (critical): Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results.
CVE-2022-35131 — CVSS 9.0 (critical): Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.
CVE-2022-40277 — CVSS 7.8 (high): Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious…
CVE-2024-49362 — CVSS 7.7 (high): Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution…
CVE-2018-1000534 — CVSS 6.1 (medium): Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow…
CVE-2022-45598 — CVSS 6.1 (medium): Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization.
CVE-2020-15930 — CVSS 6.1 (medium): An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
CVE-2021-33295 — CVSS 5.4 (medium): Cross Site Scripting (XSS) vulnerability in Joplin Desktop App before 1.8.5 allows attackers to execute aribrary code due to improper…
CVE-2021-23431 — CVSS 5.4 (medium): The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms.