XSS Vulnerability in Joplin Note Taking Application by Laurent A.
CVE-2025-24028

9.6CRITICAL

Key Information:

Vendor

Laurent22

Status
Joplin
Vendor
CVE Published:
7 February 2025

What is CVE-2025-24028?

Joplin, a popular open-source note-taking and to-do application, has a vulnerability arising from discrepancies between its HTML sanitizer's handling of comments and the browser's behavior. This affects users of the Rich Text Editor when opening untrusted notes, potentially allowing malicious scripts to be executed. The Markdown viewer remains insulated from such attacks due to its cross-origin isolation, which prevents direct access to Joplin's top-level window. Users are strongly urged to upgrade to version 3.2.12 to mitigate this risk, as there are no known workarounds for the vulnerability introduced in prior versions.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

joplin >= 3.2.6, < 3.2.12

References

https://github.com/laurent22/joplin/security/advisories/G...
x_refsource_CONFIRM
https://github.com/laurent22/joplin/commit/2a058ed8097c25...
x_refsource_MISC
https://github.com/laurent22/joplin/commit/9b505395918bc9...
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.