Joplin is vulnerable to remote code execution. The vulnerability is due to the application not validating the schema or protocol of existing links. An attacker can upload a malicious markdown file with links, which will be opened by shell.openExternal()
when a user opens the markdown file, resulting in remote code execution.