CVE-2022-35131

CRITICAL

Joplin < 2.9.1 - Stored Cross-Site Scripting via Node Title Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-35131. PoCs published by ly1g3.

AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2022-35131, an XSS vulnerability in Joplin that can lead to RCE. The exploit leverages unescaped user input in the `GotoAnything.tsx` component, allowing arbitrary JavaScript execution when a crafted note title is displayed in search results.

Description

Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.

Exploits (1)

nomisec WORKING POC 3 stars
by ly1g3 · poc
https://github.com/ly1g3/Joplin-CVE-2022-35131

This repository provides a functional proof-of-concept for CVE-2022-35131, an XSS vulnerability in Joplin that can lead to RCE. The exploit leverages unescaped user input in the `GotoAnything.tsx` component, allowing arbitrary JavaScript execution when a crafted note title is displayed in search results.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Joplin version 2.8.8 and earlier
No auth needed
Prerequisites: Ability to create a note in Joplin · User interaction (searching for the crafted note title)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Broken Link x_refsource_misc
http://joplin.com
Exploit, Third Party Advisory x_refsource_misc
https://github.com/ly1g3/Joplin-CVE-2022-35131
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/laurent22/joplin/releases/tag/v2.9.1

Scores

CVSS v3 9.0
EPSS 0.1533
EPSS Percentile 94.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-79
Status published
Products (2)
joplinapp/joplin 2.8.8
npm/joplin 0 - 2.9.1npm
Published Jul 25, 2022
Tracked Since Feb 18, 2026