Skip to main content

Joplin CVE-2026-22810

| EUVDEUVD-2026-30806 HIGH
Path Traversal: '../filedir' (CWE-24)
2026-05-15 https://github.com/laurent22/joplin GHSA-gcmj-c9gg-9vh6
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 15, 2026 - 17:00 vuln.today
Analysis Generated
May 15, 2026 - 17:00 vuln.today

DescriptionGitHub Advisory

Summary

A path traversal vulnerability in the OneNote importer allows overwriting arbitrary files on disk.

Details

The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file.

One affected location is embedded_file.rs, which generates a file name from a string previously parsed from the .one file, https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16

Above, determine_filename passes through the provided file name.

Similar logic has been present since 4d7fa5972fe2986eae14cbf3a2801835cbe1384e (Joplin 3.2.2), when the OneNote importer was first introduced.

PoC

Screencast from 2025-11-20 13-50-21.webm

  1. Import poc_v2.zip.
  2. Open the application's profile directory, then open log.txt.
  3. Observe that log.txt has been overwritten non-log-file content (a WAV file).

Tested on Fedora Linux 43 with Joplin 3.4.12 (prod, linux) and Joplin 3.5.6 (dev, linux).

Note: The PoC ZIP file overwrites Joplin's log.txt. It is also possible to craft a file that overwrites more sensitive system files (e.g. .bashrc on Linux).

Impact

This is a path traversal vulnerability that impacts all versions of Joplin (<= v3.5.6) that include a OneNote importer. Importing a crafted OneNote export file allows an attacker to overwrite arbitrary files, potentially leading to remote code execution.

Patched in

  • Joplin: https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c
  • one2html: https://github.com/msiemens/one2html/commit/948d65cdca5bb35d776b8b235ec05ff15249fd41

AnalysisAI

Path traversal vulnerability in Joplin's OneNote importer (versions 3.2.2 through 3.5.6) allows local attackers with authenticated access to overwrite arbitrary files on disk by importing malicious .one files containing directory traversal sequences in embedded file names. The vulnerability can lead to remote code execution by overwriting system files like .bashrc. Publicly available exploit code exists, with vendor-released patch available in version 3.5.7.

Technical ContextAI

The vulnerability exists in the @joplin/onenote-converter npm package, specifically in the embedded_file.rs module that handles file extraction from OneNote (.one) files. The root cause (CWE-24) is improper neutralization of '../' directory traversal sequences in file names parsed from OneNote files. The determine_filename function passes through unsanitized file names containing path traversal sequences, which are then used directly when writing extracted attachments to disk. This affects the Rust-based OneNote converter introduced in Joplin 3.2.2.

RemediationAI

Vendor-released patch: Joplin 3.5.7 contains the fix implemented in commit 791668455e1aae50501ff57ea4783b3fba9d377c. Users should immediately upgrade to version 3.5.7 or later via the official release at https://github.com/laurent22/joplin/releases/tag/v3.5.7. As an immediate workaround until patching, administrators can disable or restrict access to the OneNote import functionality, though this eliminates a key feature. Organizations should audit recent OneNote imports for suspicious file names containing '../' sequences and check for unexpected file modifications in user home directories or system paths.

Share

CVE-2026-22810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy