{"id":"CVE-2025-25187","summary":"Cross-site Scripting in Goto Anything allows arbitrary code execution in Joplin","details":"Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. This allows arbitrary JavaScript execution via inline `onclick`/`onload` event handlers in unsanitized HTML. Additionally, Joplin's main window is created with `nodeIntegration` set to `true`, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses \u003ckbd\u003ectrl\u003c/kbd\u003e-\u003ckbd\u003ep\u003c/kbd\u003e to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["GHSA-9gfv-q6wj-fr3c"],"modified":"2026-04-10T05:23:11.261981Z","published":"2025-02-07T22:38:20.068Z","database_specific":{"cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/25xxx/CVE-2025-25187.json"},"references":[{"type":"WEB","url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"},{"type":"WEB","url":"https://github.com/laurent22/joplin/blob/2fc9bd476b0d9abcddb0a46f615a48333779d225/packages/app-desktop/plugins/GotoAnything.tsx#L558"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/25xxx/CVE-2025-25187.json"},{"type":"ADVISORY","url":"https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-25187"},{"type":"FIX","url":"https://github.com/laurent22/joplin/commit/360ece6f8873ef81afbfb98b25faad696ffccdb6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/laurent22/joplin","events":[{"introduced":"0"},{"fixed":"d58126484a585ce69e015571b33cdfb23abf7d42"}]}],"versions":["android-v0.10.61","android-v0.10.62","android-v0.10.65","android-v0.10.69","android-v0.10.71","android-v0.10.83","android-v0.10.85","android-v0.10.86","android-v0.10.88","android-v0.10.89","android-v0.10.90","android-v0.10.91","android-v0.10.92","android-v1.0.100","android-v1.0.101","android-v1.0.102","android-v1.0.103","android-v1.0.115","android-v1.0.116","android-v1.0.118","android-v1.0.119","android-v1.0.120","android-v1.0.122","android-v1.0.123","android-v1.0.124","android-v1.0.125","android-v1.0.127","android-v1.0.128","android-v1.0.129","android-v1.0.131","android-v1.0.132","android-v1.0.133","android-v1.0.135","android-v1.0.138","android-v1.0.140","android-v1.0.141","android-v1.0.142","android-v1.0.148","android-v1.0.151","android-v1.0.175","android-v1.0.176","android-v1.0.177","android-v1.0.178","android-v1.0.179","android-v1.0.181","android-v1.0.200","android-v1.0.201","android-v1.0.224","android-v1.0.225","android-v1.0.232","android-v1.0.233","android-v1.0.234","android-v1.0.236","android-v1.0.237","android-v1.0.238","android-v1.0.239","android-v1.0.240","android-v1.0.241","android-v1.0.242","android-v1.0.243","android-v1.0.248","android-v1.0.251","android-v1.0.252","android-v1.0.253","android-v1.0.254","android-v1.0.255","android-v1.0.260","android-v1.0.261","android-v1.0.269","android-v1.0.271","android-v1.0.276","android-v1.0.277","android-v1.0.279","android-v1.0.281","android-v1.0.283","android-v1.0.284","android-v1.0.289","android-v1.0.290","android-v1.0.291","android-v1.0.292","android-v1.0.293","android-v1.0.294","android-v1.0.299","android-v1.0.303","android-v1.0.304","android-v1.0.305","android-v1.0.306","android-v1.0.307","android-v1.0.308","android-v1.0.309","android-v1.0.310","android-v1.0.311","android-v1.0.312","android-v1.0.313","android-v1.0.314","android-v1.0.315","android-v1.0.316","android-v1.0.317","android-v1.0.318","android-v1.0.319-rc1","android-v1.0.320","android-v1.0.321","android-v1.0.322","android-v1.0.323","android-v1.0.324","android-v1.0.325","android-v1.0.326","android-v1.0.327","android-v1.0.337","android-v1.0.339-3","android-v1.0.340","android-v1.0.94","android-v1.0.95","android-v1.0.97","android-v1.0.98","android-v1.3.10","android-v1.3.11","android-v1.3.13","android-v1.3.7","android-v1.3.9","android-v1.4.11","android-v1.5.1","android-v1.6.2","android-v1.6.3","android-v1.6.4","android-v1.6.5","android-v1.6.6","android-v1.8.1","android-v1.8.2","android-v1.8.3","android-v1.8.4","android-v2.0.2","android-v2.0.3","android-v2.0.4","android-v2.1.1","android-v2.1.2","android-v2.10.1","android-v2.10.2","android-v2.10.3","android-v2.10.4","android-v2.10.5","android-v2.10.6","android-v2.10.7","android-v2.10.8","android-v2.11.1","android-v2.11.10","android-v2.11.11","android-v2.11.13","android-v2.11.14","android-v2.11.16","android-v2.11.2","android-v2.11.22","android-v2.11.23","android-v2.11.24","android-v2.11.25","android-v2.11.26","android-v2.11.4","android-v2.11.6","android-v2.11.7","android-v2.11.8","android-v2.12.1","android-v2.13.1","android-v2.13.2","android-v2.13.3","android-v2.13.4","android-v2.13.5","android-v2.13.6","android-v2.13.7","android-v2.14.1","android-v2.14.2","android-v2.14.3","android-v2.14.4","android-v2.14.5","android-v2.14.6","android-v2.14.7","android-v2.14.8","android-v2.14.9","android-v2.2.2","android-v2.2.3","android-v2.4.2","android-v2.5.2","android-v2.5.3","android-v2.5.4","android-v2.5.5","android-v2.6.1","android-v2.6.3","android-v2.6.4","android-v2.6.5","android-v2.6.6","android-v2.6.8","android-v2.7.1","android-v2.7.2","android-v2.9.1","android-v2.9.2","android-v2.9.3","android-v2.9.4","android-v2.9.5","android-v2.9.6","android-v2.9.7","android-v2.9.8","android-v3.0.1","android-v3.0.2","android-v3.0.3","android-v3.0.4","android-v3.0.5","android-v3.1.1","android-v3.1.2","android-v3.1.3","android-v3.1.4","android-v3.1.5","android-v3.1.6","android-v3.1.7","cli-v0.10.86","cli-v0.10.87","cli-v0.10.93","cli-v1.0.100","cli-v1.0.106","cli-v1.0.107","cli-v1.0.108","cli-v1.0.109","cli-v1.0.110","cli-v1.0.113","cli-v1.0.114","cli-v1.0.115","cli-v1.0.117","cli-v1.0.118","cli-v1.0.120","cli-v1.0.122","cli-v1.0.123","cli-v1.0.124","cli-v1.0.126","cli-v1.0.127","cli-v1.0.128","cli-v1.0.129","cli-v1.0.133","cli-v1.0.135","cli-v1.0.136","cli-v1.0.137","cli-v1.0.139","cli-v1.0.141","cli-v1.0.145","cli-v1.0.146","cli-v1.0.147","cli-v1.0.148","cli-v1.0.149","cli-v1.0.150","cli-v1.0.154","cli-v1.0.155","cli-v1.0.156","cli-v1.0.157","cli-v1.0.158","cli-v1.0.159","cli-v1.0.160","cli-v1.0.161","cli-v1.0.162","cli-v1.0.163","cli-v1.0.164","cli-v1.0.95","cli-v1.0.96","cli-v1.0.97","cli-v1.0.98","cli-v1.0.99","cli-v1.2.1","cli-v1.3.1","cli-v1.3.2","cli-v1.3.3","cli-v1.5.1","cli-v1.6.1","cli-v1.6.2","cli-v1.6.3","cli-v2.0.1","cli-v2.10.2","cli-v2.10.3","cli-v2.13.1","cli-v2.6.1","cli-v2.8.1","cli-v2.9.1","clipper-1.0.10","clipper-1.0.12","clipper-1.0.13","clipper-1.0.14","clipper-1.0.17","clipper-1.0.19","clipper-1.0.20","clipper-1.0.21","clipper-1.0.22","clipper-1.0.23","clipper-1.0.25","clipper-1.0.7","clipper-1.0.8","clipper-1.3.1","clipper-1.4.3","clipper-2.11.2","clipper-2.8.1","clipper-3.1.1","ios-v0.10.6","ios-v1.0.13","ios-v10.0.21","ios-v10.0.22","ios-v10.0.27","ios-v10.0.29","ios-v10.0.30","ios-v10.0.31","ios-v10.0.33","ios-v10.0.34","ios-v10.0.35","ios-v10.0.37","ios-v10.0.39","ios-v10.0.40","ios-v10.0.41","ios-v10.0.43","ios-v10.0.44","ios-v10.0.45","ios-v10.0.47","ios-v10.3.1","ios-v10.4.1","ios-v10.5.1","ios-v10.6.2","ios-v12.0.2","ios-v12.10.1","ios-v12.10.2","ios-v12.11.1","ios-v12.11.2","ios-v12.11.3","ios-v12.13.1","ios-v12.13.2","ios-v12.13.3","ios-v12.13.4","ios-v12.13.6","ios-v12.13.7","ios-v12.14.1","ios-v12.14.2","ios-v12.14.4","ios-v12.14.5","ios-v12.14.6","ios-v12.7.1","ios-v13.0.1","ios-v13.0.2","ios-v13.0.3","ios-v13.1.1","ios-v13.1.2","ios-v13.1.3","ios-v13.1.4","ios-v13.1.5","ios-v13.1.6","ios-v20.0.1","plugin-generator-v1.4.5","plugin-generator-v1.6.10","plugin-generator-v1.6.11","plugin-generator-v1.6.2","plugin-generator-v1.6.3","plugin-generator-v1.6.4","plugin-generator-v1.6.5","plugin-generator-v1.6.6","plugin-generator-v1.6.7","plugin-generator-v1.6.8","plugin-generator-v1.6.9","plugin-generator-v1.7.1","plugin-generator-v1.7.2","plugin-generator-v1.7.3","plugin-generator-v2.0.1","plugin-generator-v2.11.1","plugin-generator-v2.12.1","plugin-generator-v2.13.1","plugin-generator-v2.13.2","plugin-generator-v2.7.1","plugin-generator-v2.7.2","plugin-generator-v2.7.3","plugin-generator-v2.8.1","plugin-repo-cli-v2.6.9","server-v1.6.4","server-v1.7.2","server-v2.0.10","server-v2.0.11","server-v2.0.12","server-v2.0.13","server-v2.0.14","server-v2.0.5","server-v2.0.6","server-v2.0.8-beta","server-v2.0.9-beta","server-v2.1.1","server-v2.1.2-beta","server-v2.1.3-beta","server-v2.1.4-beta","server-v2.1.5-beta","server-v2.1.6-beta","server-v2.10.10","server-v2.10.11","server-v2.10.5","server-v2.10.6","server-v2.10.7","server-v2.10.8","server-v2.10.9","server-v2.11.1","server-v2.11.2","server-v2.12.1","server-v2.13.1","server-v2.13.2","server-v2.13.4","server-v2.13.5","server-v2.14.1","server-v2.14.2","server-v2.2.1-beta","server-v2.2.10","server-v2.2.11-beta","server-v2.2.2-beta","server-v2.2.3-beta","server-v2.2.4-beta","server-v2.2.5-beta","server-v2.2.6-beta","server-v2.2.7-beta","server-v2.2.9-beta","server-v2.3.1-beta","server-v2.4.10-beta","server-v2.4.11-beta","server-v2.4.2","server-v2.4.3-beta","server-v2.4.4-beta","server-v2.4.5-beta","server-v2.4.6-beta","server-v2.4.7-beta","server-v2.4.8-beta","server-v2.4.9-beta","server-v2.5.1","server-v2.5.2","server-v2.5.3","server-v2.5.4","server-v2.5.5","server-v2.5.6","server-v2.5.7","server-v2.5.8","server-v2.5.9","server-v2.6.1","server-v2.6.10","server-v2.6.11","server-v2.6.12","server-v2.6.13","server-v2.6.14","server-v2.6.2","server-v2.6.3","server-v2.6.4","server-v2.6.5","server-v2.6.6","server-v2.6.7","server-v2.6.8","server-v2.6.9","server-v2.7.1","server-v2.7.2","server-v2.7.3","server-v2.7.4","server-v2.9.1","server-v2.9.2","server-v2.9.3","server-v2.9.4","server-v2.9.5","server-v2.9.6","server-v2.9.7","untagged-6ad6c38d382d9cf912e5","v0.10.26","v0.10.27","v0.10.28","v0.10.29","v0.10.30","v0.10.31","v0.10.32","v0.10.33","v0.10.34","v0.10.35","v0.10.36","v0.10.37","v0.10.38","v0.10.41","v0.10.42","v0.10.43","v0.10.55","v0.10.56","v0.10.57","v0.10.58","v0.10.59","v0.10.60","v0.10.61","v1.0.100","v1.0.101","v1.0.102","v1.0.103","v1.0.104","v1.0.105","v1.0.106","v1.0.107","v1.0.108","v1.0.109","v1.0.110","v1.0.111","v1.0.112","v1.0.113","v1.0.114","v1.0.115","v1.0.116","v1.0.117","v1.0.118","v1.0.119","v1.0.120","v1.0.123","v1.0.125","v1.0.126","v1.0.127","v1.0.128","v1.0.129","v1.0.130","v1.0.131","v1.0.132","v1.0.133","v1.0.134","v1.0.135","v1.0.136","v1.0.137","v1.0.138","v1.0.139","v1.0.140","v1.0.142","v1.0.143","v1.0.149","v1.0.150","v1.0.151","v1.0.152","v1.0.153","v1.0.154","v1.0.155","v1.0.156","v1.0.157","v1.0.158","v1.0.159","v1.0.160","v1.0.161","v1.0.162","v1.0.163","v1.0.164","v1.0.165","v1.0.166","v1.0.167","v1.0.168","v1.0.169","v1.0.170","v1.0.171","v1.0.172","v1.0.174","v1.0.175","v1.0.176","v1.0.177","v1.0.178","v1.0.179","v1.0.182","v1.0.183","v1.0.184","v1.0.185","v1.0.186","v1.0.187","v1.0.188","v1.0.189","v1.0.190","v1.0.191","v1.0.192","v1.0.193","v1.0.194","v1.0.195","v1.0.196","v1.0.197","v1.0.198","v1.0.199","v1.0.200","v1.0.206","v1.0.207","v1.0.208","v1.0.209","v1.0.210","v1.0.211","v1.0.212","v1.0.213","v1.0.214","v1.0.234","v1.0.235","v1.0.238","v1.0.239","v1.0.242","v1.0.243","v1.0.62","v1.0.63","v1.0.64","v1.0.66","v1.0.67","v1.0.68","v1.0.69","v1.0.70","v1.0.81","v1.0.82","v1.0.83","v1.0.84","v1.0.85","v1.0.86","v1.0.87","v1.0.88","v1.0.89","v1.0.90","v1.0.91","v1.0.92","v1.0.93","v1.0.94","v1.0.95","v1.0.96","v1.0.97","v1.0.98","v1.0.99","v1.1.1","v1.1.2","v1.1.244","v1.1.3","v1.3.1","v1.3.10","v1.3.14","v1.3.15","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.3.7","v1.3.8","v1.3.9","v1.4.1","v1.4.11","v1.4.2","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.4.7","v1.4.8","v1.5.1","v1.5.10","v1.5.11","v1.5.2","v1.5.3","v1.5.5","v1.5.6","v1.5.7","v1.5.8","v1.5.9","v1.6.1","v1.6.2","v1.6.4","v1.6.5","v1.6.6","v1.7.4","v1.7.5","v1.7.6","v1.8.1","v1.8.2","v1.8.3","v2.0.1","v2.0.10","v2.0.11","v2.0.3","v2.0.4","v2.0.5","v2.0.6","v2.0.7","v2.0.8","v2.0.9","v2.1.1","v2.1.4","v2.1.5","v2.10.3","v2.10.4","v2.10.5","v2.10.6","v2.10.7","v2.10.8","v2.11.1","v2.11.10","v2.11.11","v2.11.2","v2.11.3","v2.11.4","v2.11.5","v2.11.6","v2.11.7","v2.11.8","v2.11.9","v2.12.1","v2.12.10","v2.12.11","v2.12.2","v2.12.3","v2.12.4","v2.12.5","v2.12.6","v2.12.7","v2.12.8","v2.12.9","v2.13.1","v2.13.2","v2.13.3","v2.13.4","v2.13.5","v2.13.6","v2.14.1","v2.14.10","v2.14.11","v2.14.12","v2.14.13","v2.14.14","v2.14.15","v2.14.16","v2.14.17","v2.14.2","v2.14.3","v2.14.4","v2.14.5","v2.14.6","v2.14.7","v2.14.8","v2.14.9","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.4.2","v2.4.3","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.5.1","v2.5.10","v2.5.3","v2.5.4","v2.5.5","v2.5.6","v2.5.7","v2.5.8","v2.5.9","v2.6.1","v2.6.2","v2.6.3","v2.6.4","v2.6.5","v2.6.6","v2.7.1","v2.7.10","v2.7.11","v2.7.12","v2.7.2","v2.7.3","v2.7.4","v2.7.5","v2.7.6","v2.7.7","v2.7.8","v2.7.9","v2.8.1","v2.8.2","v2.8.3","v2.8.4","v2.8.5","v2.8.6","v2.8.7","v2.8.8","v2.9.1","v2.9.10","v2.9.11","v2.9.12","v2.9.2","v2.9.3","v2.9.4","v2.9.5","v2.9.7","v2.9.8","v2.9.9","v3.0.1","v3.0.10","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.1.1","v3.1.10","v3.1.11","v3.1.12","v3.1.13","v3.1.14","v3.1.15","v3.1.16","v3.1.17","v3.1.18","v3.1.19","v3.1.2","v3.1.20","v3.1.21","v3.1.22","v3.1.23","v3.1.3","v3.1.4","v3.1.6","v3.1.7","v3.1.8","v3.1.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25187.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}