PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-22810 laurent22 CVE debrief

A path traversal vulnerability in Joplin's OneNote importer allows arbitrary file overwrite via malicious .one attachments. The embedded_file.rs converter fails to sanitize filename paths, enabling directory traversal sequences (../../) to escape intended extraction directories. Attackers can craft malicious OneNote files to overwrite critical system files when imported.

Vendor
laurent22
Product
joplin
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-18
Original CVE updated
2026-05-19
Advisory published
2026-05-18
Advisory updated
2026-05-19

Who should care

Joplin users who import OneNote files; security teams managing note-taking application deployments; organizations using Joplin for sensitive documentation workflows

Technical summary

The Joplin OneNote converter (embedded_file.rs) writes embedded file attachments from .one files to disk without sanitizing filename paths. Malicious OneNote files containing path traversal sequences (e.g., ../../etc/critical-file) in embedded attachment names cause files to be written outside the intended extraction directory, enabling arbitrary file overwrite with attacker-controlled content. This affects confidentiality, integrity, and availability of the host system.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Joplin to version 3.5.7 or later to remediate this vulnerability
  • Block or quarantine .one file imports from untrusted sources until patching is complete
  • Audit systems for unexpected file modifications in directories writable by Joplin processes
  • Review file integrity of critical system files if malicious .one imports are suspected
  • Consider disabling OneNote import functionality if not required for business operations

Evidence notes

Vulnerability exists in packages/onenote-converter/renderer/src/page/embedded_file.rs lines 13-16. Fix commit 791668455e1aae50501ff57ea4783b3fba9d377c merged via PR #13736.

Official resources

Disclosed 2026-05-18 via GitHub Security Advisory GHSA-gcmj-c9gg-9vh6; patched in Joplin 3.5.7 released 2026-05-18.