CVE-2025-27134
Privilege escalation in Joplin server via user patch endpoint
Vexday Risk Score
36Atención
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
CVSS 8.8EPSS 1.7%KEV nãoPoC —Nuclei simMetasploit —Patch —
Ciclo de vida
30 abr 2025Publicada en NVD
Recomendación: Planificar corrección próxima — ya existe PoC pública.
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint `PATCH /api/users/:id` to set the `is_admin` field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Productos afectados
laurent22 · joplin¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →