HIGH🇬🇧 English

CVE-2026-22810

CVSS 8.2v3.1pub. 2026-05-18upd. 2026-06-02

Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file. This issue has been patched in version 3.5.7.

oryginał EN
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
  • Joplinapp Joplin

    APP
    Joplinapp
    < 3.5.7
  • Msiemens One2html

    APP
    Msiemens
    ≤ 1.3.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Path Traversal
CWE
Referencje

Powiązane podatności

CVE-2022-35131CRITICAL9.0ten sam produkt

Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titl...

CVE-2022-40277HIGH7.8ten sam produkt

Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that ope...

CVE-2021-23431MEDIUM5.4ten sam produkt

The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks...

CVE-2026-22810 — HIGH 8.2 | CVEbaza.pl