Joplin
Monthly
Unauthorized note disclosure in Joplin server versions 3.5.2 and prior allows authenticated former share recipients to retrieve notes after sharing has been revoked, via two compounding logic errors in the ChangeModel delta API. The first flaw attaches full item content to delta responses without re-verifying current share status; the second incorrectly compresses create → delete event sequences into a NOOP rather than a delete, causing the API to synthesize a create event with full note content for deleted items when those events span separate delta pages. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but confidentiality impact is rated High given that full note content is returned to unauthorized recipients.
Denial of service via unbounded memory allocation in Joplin note-taking application versions 3.6.14 and prior crashes the application by exhausting system memory when an excessively long string is provided as a note title. Authenticated local users with access to the Joplin UI, or attackers holding a compromised local API token, can trigger this Out Of Memory condition through either direct UI interaction or an HTTP POST to the local web service API (default port 41184). No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, exploitation requires only low privileges and no user interaction once access is established.
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 13.4%.
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Unauthorized note disclosure in Joplin server versions 3.5.2 and prior allows authenticated former share recipients to retrieve notes after sharing has been revoked, via two compounding logic errors in the ChangeModel delta API. The first flaw attaches full item content to delta responses without re-verifying current share status; the second incorrectly compresses create → delete event sequences into a NOOP rather than a delete, causing the API to synthesize a create event with full note content for deleted items when those events span separate delta pages. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but confidentiality impact is rated High given that full note content is returned to unauthorized recipients.
Denial of service via unbounded memory allocation in Joplin note-taking application versions 3.6.14 and prior crashes the application by exhausting system memory when an excessively long string is provided as a note title. Authenticated local users with access to the Joplin UI, or attackers holding a compromised local API token, can trigger this Out Of Memory condition through either direct UI interaction or an HTTP POST to the local web service API (default port 41184). No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, exploitation requires only low privileges and no user interaction once access is established.
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 13.4%.
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available.