EXECUTIVE SUMMARY:
CVE-2026-22810 with a CVSS score of 8.2 is a path traversal vulnerability in the OneNote importer that allows overwriting arbitrary files on disk. The affected software is joplin /onenote-converter, specifically impacted versions are less than 3.5.7. The vulnerability occurs because the OneNote converter does not sanitize the names of embedded files before writing them to disk, enabling an attacker to create a malicious `.one` file that includes file names containing `../../`, which are then interpreted as part of the target path when extracting attachments from the `.one` file. An attacker can exploit this vulnerability by importing a crafted OneNote export file, requiring no access other than the ability to import files, resulting in the capability to overwrite arbitrary files on disk. The business impact of this vulnerability is significant, as an attacker can potentially lead to remote code execution by overwriting sensitive system files. This vulnerability can be exploited under the condition that the target system has the OneNote importer installed, regardless of the Joplin version, including all versions of Joplin (<= v3.5.6) that include a OneNote importer.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-22810 with a CVSS score of 8.2 is a path traversal vulnerability in the OneNote importer that allows overwriting arbitrary files on disk. The affected software is joplin /onenote-converter, specifically impacted versions are less than 3.5.7. The vulnerability occurs because the OneNote converter does not sanitize the names of embedded files before writing them to disk, enabling an attacker to create a malicious `.one` file that includes file names containing `../../`, which are then interpreted as part of the target path when extracting attachments from the `.one` file. An attacker can exploit this vulnerability by importing a crafted OneNote export file, requiring no access other than the ability to import files, resulting in the capability to overwrite arbitrary files on disk. The business impact of this vulnerability is significant, as an attacker can potentially lead to remote code execution by overwriting sensitive system files. This vulnerability can be exploited under the condition that the target system has the OneNote importer installed, regardless of the Joplin version, including all versions of Joplin (<= v3.5.6) that include a OneNote importer.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update joplin /onenote-converter to version 3.5.7.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-gcmj-c9gg-9vh6