Joplin before 2.11.5 allows XSS via an AREA element of an image map.

Joplin before 2.11.5 allows XSS via a USE element in an SVG document.

Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization.

Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the 'shell.openExternal' function.

Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.

Cross Site Scripting (XSS) vulnerability in Joplin Desktop App before 1.8.5 allows attackers to execute aribrary code due to improper sanitizing of html.

Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results.

The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms.

Joplin before 2.0.9 allows XSS via button and form in the note body.

Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note.