{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/joplin/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Joplin (\u003c= 3.5.6)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","file-overwrite","cve-2026-22810","joplin"],"_cs_type":"advisory","_cs_vendors":["Joplin"],"content_html":"\u003cp\u003eJoplin, a popular open-source note-taking application, is vulnerable to a path traversal attack (CVE-2026-22810) within its OneNote import functionality. This flaw affects Joplin versions 3.5.6 and earlier. The vulnerability lies in the \u003ccode\u003e@joplin/onenote-converter\u003c/code\u003e npm package, specifically due to the insufficient sanitization of filenames extracted from OneNote\u0026rsquo;s \u003ccode\u003e.one\u003c/code\u003e files. By crafting a malicious \u003ccode\u003e.one\u003c/code\u003e file containing embedded files with names incorporating directory traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e), an attacker can control the write path of extracted files during the import process. This can lead to overwriting arbitrary files on the system where Joplin is running. The vulnerability was introduced around Joplin 3.2.2 when the OneNote importer was first introduced, and was identified and reported in May 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003e.one\u003c/code\u003e file. This file contains specially named embedded files, with the filenames including path traversal sequences like \u003ccode\u003e../../\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim imports the malicious \u003ccode\u003e.one\u003c/code\u003e file into Joplin (versions 3.5.6 or earlier).\u003c/li\u003e\n\u003cli\u003eJoplin\u0026rsquo;s OneNote importer (\u003ccode\u003e@joplin/onenote-converter\u003c/code\u003e) processes the \u003ccode\u003e.one\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe importer extracts embedded files without proper sanitization of the filenames.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eembedded_file.rs\u003c/code\u003e component of the importer constructs a file path based on the extracted filename.\u003c/li\u003e\n\u003cli\u003eThe path traversal sequences in the filename are interpreted, allowing the write operation to escape the intended directory.\u003c/li\u003e\n\u003cli\u003eThe extracted file is written to an arbitrary location on the file system, overwriting the existing file.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary file overwrite, potentially leading to code execution if a critical system file is targeted (e.g., \u003ccode\u003e.bashrc\u003c/code\u003e or application configuration files).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability (CVE-2026-22810) allows an attacker to overwrite arbitrary files on the victim\u0026rsquo;s system. This can lead to a variety of consequences, including denial of service, privilege escalation, and potentially remote code execution. The provided proof-of-concept overwrites Joplin\u0026rsquo;s \u003ccode\u003elog.txt\u003c/code\u003e file, but more sensitive files such as \u003ccode\u003e.bashrc\u003c/code\u003e on Linux systems can be targeted. All users of Joplin versions 3.5.6 and earlier who utilize the OneNote import functionality are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Joplin to version 3.5.7 or later to incorporate the patch for CVE-2026-22810 (\u003ca href=\"https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c\"\u003ehttps://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential exploitation attempts involving path traversal sequences in file creation events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T16:29:03Z","date_published":"2026-05-15T16:29:03Z","id":"https://feed.craftedsignal.io/briefs/2026-05-joplin-path-traversal/","summary":"A path traversal vulnerability exists in the OneNote importer of Joplin versions 3.5.6 and earlier. By importing a crafted .one file, an attacker can overwrite arbitrary files on the disk, potentially leading to privilege escalation and remote code execution. The vulnerability stems from the lack of sanitization of embedded file names within the OneNote converter, allowing filenames containing directory traversal sequences like `../../`.","title":"Joplin OneNote Importer Path Traversal Vulnerability (CVE-2026-22810)","url":"https://feed.craftedsignal.io/briefs/2026-05-joplin-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Joplin","version":"https://jsonfeed.org/version/1.1"}