Description
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file. This issue has been patched in version 3.5.7.
Published: 2026-05-18
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Joplin application contains a path traversal vulnerability in its OneNote importer. When an attacker supplies a malicious .one file with embedded file names that include sequences like '../../', the importer interprets these as part of the target path and writes the extracted attachments directly to those locations. This flaw allows the attacker to overwrite any file that the Joplin process can write to, potentially compromising application data or altering system configuration.

Affected Systems

Both Windows, macOS, and Linux installations of Joplin built by laurent22 that are older than version 3.5.7 are susceptible. The vulnerability specifically resides in the OneNote import module that handles .one file attachments.

Risk and Exploitability

The vulnerability is assigned a CVSS score of 8.2, reflecting a high severity. No EPSS score has been published, so exploitation likelihood remains uncertain. The flaw is not listed in the CISA KEV catalog. An attacker who can deliver a crafted .one file to a user will be able to write arbitrary files to disk, but the description does not indicate that this alone results in remote code execution; the risk primarily lies in unauthorized file modification or potential compromise of sensitive data.

Generated by OpenCVE AI on May 18, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Joplin to version 3.5.7 or later, which fixes the path traversal issue.
  • If an immediate upgrade is not possible, disable the OneNote import feature or block the processing of untrusted .one files.
  • Apply stricter file system permissions so that the Joplin process cannot write to critical directories or files.

Generated by OpenCVE AI on May 18, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gcmj-c9gg-9vh6 @joplin/onenote-converter: Path traversal in OneNote importer allows overwriting arbitrary files
History

Tue, 02 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Msiemens
Msiemens one2html
CPEs cpe:2.3:a:msiemens:one2html:*:*:*:*:*:rust:*:*
Vendors & Products Msiemens
Msiemens one2html

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Joplinapp
Joplinapp joplin
CPEs cpe:2.3:a:joplinapp:joplin:*:*:*:*:*:*:*:*
Vendors & Products Joplinapp
Joplinapp joplin

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Laurent 22
Laurent 22 joplin
Vendors & Products Laurent 22
Laurent 22 joplin

Mon, 18 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file. This issue has been patched in version 3.5.7.
Title Joplin: Path traversal in OneNote importer allows overwriting arbitrary files
Weaknesses CWE-24
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Joplinapp Joplin
Laurent 22 Joplin
Msiemens One2html
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T03:55:23.355Z

Reserved: 2026-01-09T22:50:10.288Z

Link: CVE-2026-22810

cve-icon Vulnrichment

Updated: 2026-05-19T12:49:29.457Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-18T21:16:39.373

Modified: 2026-06-02T17:04:00.330

Link: CVE-2026-22810

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T08:15:26Z

Weaknesses