PT-2026-41386 · Joplin · Joplin

Msiemens

·

Published

2026-05-15

·

Updated

2026-05-19

·

CVE-2026-22810

CVSS v3.1

8.2

High

VectorAV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Joplin versions prior to 3.5.7
Description A path traversal issue exists in the OneNote importer. The OneNote converter fails to sanitize the names of embedded files before writing them to disk. An attacker can create a malicious .one file containing file names with ../../ sequences, which are interpreted as part of the target path during attachment extraction. This allows the overwriting of arbitrary files on disk, which could potentially lead to remote code execution. The determine filename() function in embedded file.rs is specifically involved as it passes through the provided file name without validation.
Recommendations Update to version 3.5.7.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-22810
GHSA-GCMJ-C9GG-9VH6

Affected Products

Joplin