8.2

CVE-2026-22810

Joplin: Path traversal in OneNote importer allows overwriting arbitrary files

Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file. This issue has been patched in version 3.5.7.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
JoplinappJoplin Version < 3.5.7
MsiemensOne2html SwPlatformrust Version <= 1.3.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.21% 0.106
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.3 1.3 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com 8.2 1.5 6
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE-24 Path Traversal: '../filedir'

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

https://github.com/laurent22/joplin/security/advisories/GHSA-gcmj-c9gg-9vh6
Vendor Advisory
https://github.com/laurent22/joplin/pull/13736
Issue Tracking
https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c
Patch
https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16
Product
https://github.com/laurent22/joplin/releases/tag/v3.5.7
Patch
Product