CVE-2025-24028

Name of the Vulnerable Software and Affected Versions Joplin versions prior to 3.2.12

Description This issue is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments, affecting both the Rich Text Editor and the Markdown viewer. However, the Markdown viewer is cross-origin isolated, preventing JavaScript from directly accessing functions or variables in the toplevel Joplin window. This is an XSS vulnerability that impacts users who open untrusted notes in the Rich Text Editor.

Recommendations For Joplin versions prior to 3.2.12, upgrade to version 3.2.12 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the Rich Text Editor for untrusted notes until the update is applied. Restrict access to untrusted notes in the Rich Text Editor to minimize the risk of exploitation.