Path Traversal Vulnerability in Joplin Note-Taking Application
CVE-2026-22810

8.2HIGH

Key Information:

Vendor

Laurent22

Status
Joplin
Vendor
CVE Published:
18 May 2026

What is CVE-2026-22810?

The Joplin note-taking and to-do application is susceptible to a path traversal vulnerability due to improper sanitization of embedded file names in its OneNote converter. Versions before 3.5.7 allow attackers to exploit this flaw by crafting malicious .one files that can overwrite arbitrary files on the disk. This is accomplished through file names that include sequences like '../../', which the application interprets as part of the file path during extraction of attachments. Users are strongly encouraged to upgrade to version 3.5.7 or later to mitigate this risk.

Affected Version(s)

joplin < 3.5.7

References

https://github.com/laurent22/joplin/security/advisories/G...
x_refsource_CONFIRM
https://github.com/laurent22/joplin/pull/13736
x_refsource_MISC
https://github.com/laurent22/joplin/commit/791668455e1aae...
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.