Description
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an attacker to cause an Out Of Memory (OOM) error and subsequent program termination by inserting an excessively long string into a note's title. This can be triggered either through direct user interface (UI) input or programmatically via the local web service API after compromising an authentication token. There are 2 primary methods of exploitation: via User Interface (UI) Input, and the Local Web Service API. A local user can directly type or paste an extremely long string into the title field when creating or editing a note Joplin runs a local web service (typically on port 41184) that allows programmatic interaction, such as creating or editing notes via HTTP API calls. If an attacker manages to exfiltrate or compromise the user's authentication token (e.g., through malware on the local system, or other local vulnerabilities), they can then send a crafted HTTP POST request to this local API. By including an excessively long string in the title parameter of this request, the application will attempt to allocate an unbounded amount of memory. This issue has been patched in version 3.7.1.
Published: 2026-05-19
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uncontrolled resource allocation flaw in Joplin’s title input handling (CWE‑770). An attacker can submit an excessively long string as a note title either via the graphical interface or through the local web service API, causing the application to attempt to allocate more memory than it can manage, which results in an out‑of‑memory error and application termination. This denial of service can degrade the availability of Joplin for the affected user or process.

Affected Systems

Affected by v3.6.14 and earlier versions of the laurent22 Joplin note‑taking application. Versions 3.7.1 and later contain a fix that enforces proper length validation of note titles. The flaw exists in the open‑source codebase and is documented in the GitHub repository under commit 5b8795da.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and there is no EPSS score reported, suggesting limited publicly documented exploitation. However, the vulnerability is exploitable locally by any user who can enter a note, and an attacker who gains a malicious authentication token for Joplin’s local API can trigger the DoS remotely on the host machine. The issue is not listed in CISA’s KEV catalog, but its impact—application crash—can be disruptive in environments that rely on Joplin for critical note management.

Generated by OpenCVE AI on May 19, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Joplin to version 3.7.1 or newer to apply the official fix.
  • Disable or restrict the local web service API if it is not required for your workflow.
  • Monitor and limit note title lengths and overall memory usage to detect potential DoS attempts.

Generated by OpenCVE AI on May 19, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Laurent 22
Laurent 22 joplin
Vendors & Products Laurent 22
Laurent 22 joplin

Tue, 19 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an attacker to cause an Out Of Memory (OOM) error and subsequent program termination by inserting an excessively long string into a note's title. This can be triggered either through direct user interface (UI) input or programmatically via the local web service API after compromising an authentication token. There are 2 primary methods of exploitation: via User Interface (UI) Input, and the Local Web Service API. A local user can directly type or paste an extremely long string into the title field when creating or editing a note Joplin runs a local web service (typically on port 41184) that allows programmatic interaction, such as creating or editing notes via HTTP API calls. If an attacker manages to exfiltrate or compromise the user's authentication token (e.g., through malware on the local system, or other local vulnerabilities), they can then send a crafted HTTP POST request to this local API. By including an excessively long string in the title parameter of this request, the application will attempt to allocate an unbounded amount of memory. This issue has been patched in version 3.7.1.
Title Joplin has Denial of Service (DoS) via Uncontrolled Resource Allocation through Title Input
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Laurent 22 Joplin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T14:55:22.365Z

Reserved: 2025-08-20T14:30:35.008Z

Link: CVE-2025-57798

cve-icon Vulnrichment

Updated: 2026-05-20T14:53:39.284Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T21:16:40.817

Modified: 2026-05-20T16:16:24.953

Link: CVE-2025-57798

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:00:04Z

Weaknesses