11 matches found
Joplin 3.3.3 Server - Privilege Escalation
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint PATCH /api/users/-id t...
CVE-2026-34600 Joplin Server delta API returns note content after share access is revoked
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior...
CVE-2026-34600 Joplin Server delta API returns note content after share access is revoked
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior...
CVE-2026-34600
CVE-2026-34600 affects Joplin (note-taking app). Versions
CVE-2025-27409
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with css/pluginAssets or js/pluginAssets. The findLocalFile function i...
CVE-2025-27134 Privilege escalation in Joplin server via user patch endpoint
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint PATCH /api/users/:id t...
CVE-2025-27134 Privilege escalation in Joplin server via user patch endpoint
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint PATCH /api/users/:id t...
CVE-2025-27409 Joplin Server Vulnerable to Path Traversal
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with css/pluginAssets or js/pluginAssets. The findLocalFile function i...
CVE-2025-27409 Joplin Server Vulnerable to Path Traversal
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with css/pluginAssets or js/pluginAssets. The findLocalFile function i...
CVE-2025-27409
CVE-2025-27409 affects Joplin Server prior to version 3.3.3, where path traversal is possible when static files are requested under css/pluginAssets or js/pluginAssets. The default route’s findLocalFile calls localFileFromUrl and, if it returns a path, the result is sent without validating path t...
PT-2025-18289 · Joplin · Joplin
Name of the Vulnerable Software and Affected Versions: Joplin versions prior to 3.3.3 Description: The issue allows path traversal in Joplin Server when the static file path starts with css/pluginAssets or js/pluginAssets. The findLocalFile function in the default route calls localFileFromUrl to...