Main Vulnerability Database Vulnerabilities #VU131599

Cross-site scripting in Joplin - CVE-2023-37898

Published: June 21, 2024 / Updated: May 16, 2026

Vulnerability identifier: #VU131599

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2023-37898

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Joplinapp

Affected software:
Joplin

Detailed vulnerability description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to cross-site scripting in packages/renderer/MarkupToHtml.ts when rendering an untrusted note in safe mode. A local user can create a specially crafted note to execute arbitrary code.

User interaction is required to open the crafted note, and exploitation relies on the rendered markdown iframe sharing the same origin as the top-level document without sandboxing.

How to mitigate CVE-2023-37898

Install security update from vendor's website.

Sources

https://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8

Cross-site scripting in Joplin - CVE-2023-37898

Detailed vulnerability description

How to mitigate CVE-2023-37898

Sources

Please verify you're human