Severity by source
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
A path traversal vulnerability in the OneNote importer allows overwriting arbitrary files on disk.
Details
The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file.
One affected location is embedded_file.rs, which generates a file name from a string previously parsed from the .one file, https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16
Above, determine_filename passes through the provided file name.
Similar logic has been present since 4d7fa5972fe2986eae14cbf3a2801835cbe1384e (Joplin 3.2.2), when the OneNote importer was first introduced.
PoC
Screencast from 2025-11-20 13-50-21.webm
- Import poc_v2.zip.
- Open the application's profile directory, then open
log.txt. - Observe that
log.txthas been overwritten non-log-file content (a WAV file).
Tested on Fedora Linux 43 with Joplin 3.4.12 (prod, linux) and Joplin 3.5.6 (dev, linux).
Note: The PoC ZIP file overwrites Joplin's log.txt. It is also possible to craft a file that overwrites more sensitive system files (e.g. .bashrc on Linux).
Impact
This is a path traversal vulnerability that impacts all versions of Joplin (<= v3.5.6) that include a OneNote importer. Importing a crafted OneNote export file allows an attacker to overwrite arbitrary files, potentially leading to remote code execution.
Patched in
- Joplin: https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c
- one2html: https://github.com/msiemens/one2html/commit/948d65cdca5bb35d776b8b235ec05ff15249fd41
AnalysisAI
Path traversal vulnerability in Joplin's OneNote importer (versions 3.2.2 through 3.5.6) allows local attackers with authenticated access to overwrite arbitrary files on disk by importing malicious .one files containing directory traversal sequences in embedded file names. The vulnerability can lead to remote code execution by overwriting system files like .bashrc. Publicly available exploit code exists, with vendor-released patch available in version 3.5.7.
Technical ContextAI
The vulnerability exists in the @joplin/onenote-converter npm package, specifically in the embedded_file.rs module that handles file extraction from OneNote (.one) files. The root cause (CWE-24) is improper neutralization of '../' directory traversal sequences in file names parsed from OneNote files. The determine_filename function passes through unsanitized file names containing path traversal sequences, which are then used directly when writing extracted attachments to disk. This affects the Rust-based OneNote converter introduced in Joplin 3.2.2.
RemediationAI
Vendor-released patch: Joplin 3.5.7 contains the fix implemented in commit 791668455e1aae50501ff57ea4783b3fba9d377c. Users should immediately upgrade to version 3.5.7 or later via the official release at https://github.com/laurent22/joplin/releases/tag/v3.5.7. As an immediate workaround until patching, administrators can disable or restrict access to the OneNote import functionality, though this eliminates a key feature. Organizations should audit recent OneNote imports for suspicious file names containing '../' sequences and check for unexpected file modifications in user home directories or system paths.
Same weakness CWE-24 – Path Traversal: '../filedir'
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30806
GHSA-gcmj-c9gg-9vh6