CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24028 – Cross-site Scripting (XSS) in Rich Text Editor allows arbitrary code execution in Joplin
https://notcve.org/view.php?id=CVE-2025-24028
07 Feb 2025 — Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is `cross-origin isolated`, which prevents JavaScript from directly accessing functions/variables in the toplevel Joplin `w... • https://github.com/laurent22/joplin/commit/2a058ed8097c2502e152b26394dc1917897f5817 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55630 – DOM Clobbering leads to temporary DOS in the note viewer in Joplin
https://notcve.org/view.php?id=CVE-2024-55630
07 Feb 2025 — Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Joplin's HTML sanitizer allows the `name` attribute to be specified. If `name` is set to the same value as an existing `document` property (e.g. `querySelector`), that property is replaced with the element. This vulnerability's only known impact is denial of service. • https://en.wikipedia.org/wiki/DOM_clobbering • CWE-20: Improper Input Validation •