Joplin EUVD-2026-30806

Summary

A path traversal vulnerability in the OneNote importer allows overwriting arbitrary files on disk.

Details

The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file.

One affected location is embedded_file.rs, which generates a file name from a string previously parsed from the .one file, https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16

Above, determine_filename passes through the provided file name.

Similar logic has been present since 4d7fa5972fe2986eae14cbf3a2801835cbe1384e (Joplin 3.2.2), when the OneNote importer was first introduced.

PoC

Screencast from 2025-11-20 13-50-21.webm

1. Import poc_v2.zip.
2. Open the application's profile directory, then open log.txt.
3. Observe that log.txt has been overwritten non-log-file content (a WAV file).

Tested on Fedora Linux 43 with Joplin 3.4.12 (prod, linux) and Joplin 3.5.6 (dev, linux).

Note: The PoC ZIP file overwrites Joplin's log.txt. It is also possible to craft a file that overwrites more sensitive system files (e.g. .bashrc on Linux).

Impact

This is a path traversal vulnerability that impacts all versions of Joplin (<= v3.5.6) that include a OneNote importer. Importing a crafted OneNote export file allows an attacker to overwrite arbitrary files, potentially leading to remote code execution.

Patched in

• Joplin: https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c
• one2html: https://github.com/msiemens/one2html/commit/948d65cdca5bb35d776b8b235ec05ff15249fd41