Cross-site Scripting in Joplin

Description

An XSS issue in Joplin desktop allows arbitrary code execution via a malicious HTML embed tag.

Recommendation

Update the joplin package to the latest compatible version. Followings are version details:

• Affected version(s): >= 1.0.190, < 1.1.7
• Patched version(s): 1.1.7

References

• GHSA-cgc7-mwp4-3ccx
• packetstormsecurity.com
• CVE-2020-15930
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• lobe-chat has an Open Redirect - CVE-2025-59426
• Cross-site Scripting in ZenUML - CVE-2024-38527
• Joplin Remote Code Execution - CVE-2022-40277
• Joplin Cross Site Scripting Vulnerability via NOSCRIPT tags - CVE-2021-33295

Tags:

npm

joplin