PT-2026-41386 · Joplin · Joplin
Msiemens
·
Published
2026-05-15
·
Updated
2026-05-19
·
CVE-2026-22810
CVSS v3.1
8.2
High
| Vector | AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Joplin versions prior to 3.5.7
Description
A path traversal issue exists in the OneNote importer. The OneNote converter fails to sanitize the names of embedded files before writing them to disk. An attacker can create a malicious
.one file containing file names with ../../ sequences, which are interpreted as part of the target path during attachment extraction. This allows the overwriting of arbitrary files on disk, which could potentially lead to remote code execution. The determine filename() function in embedded file.rs is specifically involved as it passes through the provided file name without validation.Recommendations
Update to version 3.5.7.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Joplin