CVE-2026-22810 HIGH

CVE-2026-22810: Joplin: Path traversal in OneNote importer allows overwriting arbitrary files

Vendor Laurent22
Product joplin
Weakness CWE-24
Published May 18, 2026
Last update May 20, 2026

CVSS base score

8.2/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file. This issue has been patched in version 3.5.7.

Key dates

02Disclosure timeline

May 18, 2026 CVE published
May 20, 2026 Record updated