CVE-2020-9038

MEDIUM

Joplin < 1.0.184 - Stored Cross-Site Scripting and Arbitrary File Read

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-9038. PoCs published by Javier Olmedo, JavierOlmedo.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in Joplin Desktop 1.0.184 and earlier, allowing arbitrary file reading via a malicious note. The PoC uses a base64-encoded JavaScript payload to exfiltrate file contents to an attacker-controlled server.

Description

Joplin through 1.0.184 allows Arbitrary File Read via XSS.

Exploits (2)

exploitdb WORKING POC

by Javier Olmedo · textwebappsmultiple

https://www.exploit-db.com/exploits/48147

View Code ZIP pw:eip

This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in Joplin Desktop 1.0.184 and earlier, allowing arbitrary file reading via a malicious note. The PoC uses a base64-encoded JavaScript payload to exfiltrate file contents to an attacker-controlled server.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Joplin Desktop 1.0.184 and before

No auth needed

Prerequisites: Victim must open a malicious note in Joplin Desktop · Attacker must host an exploit.js file on a web server

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 5 stars

by JavierOlmedo · poc

https://github.com/JavierOlmedo/CVE-2020-9038

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2020-9038, an XSS vulnerability in Joplin. The exploit.js file demonstrates how an attacker can read local files via a crafted JavaScript payload.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Joplin (version not specified)

No auth needed

Prerequisites: Victim must execute the malicious JavaScript in a vulnerable Joplin instance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/laurent22/joplin/commit/3db47b575b9cb0a765da3d283baa2c065df0d0bc

View Patch ZIP pw:eip

Patch, Release Notes, Third Party Advisory x_refsource_misc

https://github.com/laurent22/joplin/compare/clipper-1.0.19...clipper-1.0.20

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/156582/Joplin-Desktop-1.0.184-Cross-Site-Scripting.html

Scores

CVSS v3 5.4

EPSS 0.0136

EPSS Percentile 80.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

joplin_project/joplin < 1.0.184

npm/joplin 0 - 1.2.1npm

Published Feb 17, 2020

Tracked Since Feb 18, 2026