GHSA-GCMJ-C9GG-9VH6

Vulnerability from github – Published: 2026-05-15 16:27 – Updated: 2026-05-15 16:27
VLAI?
Summary
@joplin/onenote-converter: Path traversal in OneNote importer allows overwriting arbitrary files
Details

Summary

A path traversal vulnerability in the OneNote importer allows overwriting arbitrary files on disk.

Details

The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file.

One affected location is embedded_file.rs, which generates a file name from a string previously parsed from the .one file, https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16

Above, determine_filename passes through the provided file name.

Similar logic has been present since 4d7fa5972fe2986eae14cbf3a2801835cbe1384e (Joplin 3.2.2), when the OneNote importer was first introduced.

PoC

Screencast from 2025-11-20 13-50-21.webm

  1. Import poc_v2.zip.
  2. Open the application's profile directory, then open log.txt.
  3. Observe that log.txt has been overwritten non-log-file content (a WAV file).

Tested on Fedora Linux 43 with Joplin 3.4.12 (prod, linux) and Joplin 3.5.6 (dev, linux).

Note: The PoC ZIP file overwrites Joplin's log.txt. It is also possible to craft a file that overwrites more sensitive system files (e.g. .bashrc on Linux).

Impact

This is a path traversal vulnerability that impacts all versions of Joplin (<= v3.5.6) that include a OneNote importer. Importing a crafted OneNote export file allows an attacker to overwrite arbitrary files, potentially leading to remote code execution.

Patched in

  • Joplin: https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c
  • one2html: https://github.com/msiemens/one2html/commit/948d65cdca5bb35d776b8b235ec05ff15249fd41
Severity ?
8.2 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@joplin/onenote-converter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-15T16:27:11Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nA path traversal vulnerability in the OneNote importer allows overwriting arbitrary files on disk.\n\n### Details\nThe OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it\u0027s possible for an attacker to create a malicious `.one` file that includes file names containing `../../`, that are then interpreted as part of the target path when extracting attachments from the `.one` file.\n\nOne affected location is `embedded_file.rs`, which generates a file name from a string previously parsed from the `.one` file,\nhttps://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16\n\nAbove, [`determine_filename`](https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L56-L64) passes through the provided file name.\n\n[Similar logic](https://github.com/laurent22/joplin/blob/4d7fa5972fe2986eae14cbf3a2801835cbe1384e/packages/onenote-converter/src/page/embedded_file.rs#L14) has been present since 4d7fa5972fe2986eae14cbf3a2801835cbe1384e (Joplin 3.2.2), when the OneNote importer was first introduced.\n\n### PoC\n\n[Screencast from 2025-11-20 13-50-21.webm](https://github.com/user-attachments/assets/a9d6cc64-ec11-4f33-9f92-32efe0eaab23)\n\n\n1. Import [poc_v2.zip](https://github.com/user-attachments/files/23664109/poc_v2.zip).\n2. Open the application\u0027s profile directory, then open `log.txt`.\n3. Observe that `log.txt` has been overwritten non-log-file content (a WAV file).\n\nTested on Fedora Linux 43 with Joplin 3.4.12 (prod, linux) and Joplin 3.5.6 (dev, linux).\n\n**Note**: The PoC ZIP file overwrites Joplin\u0027s `log.txt`. It is also possible to craft a file that overwrites more sensitive system files (e.g. `.bashrc` on Linux).\n\n### Impact\nThis is a path traversal vulnerability that impacts **all versions of Joplin (\u003c= v3.5.6) that include a OneNote importer**. Importing a crafted OneNote export file allows an attacker to overwrite arbitrary files, potentially leading to remote code execution.\n\n### Patched in\n\n- **Joplin**: https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c\n- **one2html**: https://github.com/msiemens/one2html/commit/948d65cdca5bb35d776b8b235ec05ff15249fd41",
  "id": "GHSA-gcmj-c9gg-9vh6",
  "modified": "2026-05-15T16:27:11Z",
  "published": "2026-05-15T16:27:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/laurent22/joplin/security/advisories/GHSA-gcmj-c9gg-9vh6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laurent22/joplin/pull/13736"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/laurent22/joplin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laurent22/joplin/releases/tag/v3.5.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@joplin/onenote-converter: Path traversal in OneNote importer allows overwriting arbitrary files"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.