Joplin Path Traversal (CVE-2026-22810) Allows Arbitrary File Overwrites
The National Vulnerability Database has disclosed CVE-2026-22810, a high-severity path traversal vulnerability impacting Joplin, an open-source note-taking application. Versions prior to 3.5.7 are susceptible. The flaw exists within the application’s importer, specifically its OneNote converter, which fails to sanitize embedded file names before writing them to disk.
This oversight allows an attacker to craft a malicious .one file containing filenames with path traversal sequences (e.g., ../../). When a user imports this file, Joplin interprets these sequences as part of the target path, enabling the attacker to overwrite arbitrary files on the victim’s system. With a CVSS score of 8.2 (HIGH), this vulnerability presents a significant risk, as it can lead to full system compromise if exploited effectively.
Defenders must recognize the attacker’s calculus here: social engineering is key. An attacker would likely distribute a weaponized .one file, perhaps disguised as a legitimate document, to trick users into importing it. This is a direct path to persistence or privilege escalation. The issue has been patched in Joplin version 3.5.7; immediate upgrade is the only viable defense.
What This Means For You
- If your organization uses Joplin for note-taking, immediately verify all installations are upgraded to version 3.5.7 or later to mitigate CVE-2026-22810. Prioritize user education on suspicious file attachments, especially `.one` files, as this vulnerability requires user interaction to exploit.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Joplin Path Traversal - Arbitrary File Overwrite Attempt (CVE-2026-22810)
title: Joplin Path Traversal - Arbitrary File Overwrite Attempt (CVE-2026-22810)
id: scw-2026-05-18-ai-1
status: experimental
level: high
description: |
Detects Joplin.exe attempting to write files using path traversal sequences in its command line, indicating a potential exploitation of CVE-2026-22810 to overwrite arbitrary files. This rule specifically targets the known vulnerability in Joplin's importer.
author: SCW Feed Engine (AI-generated)
date: 2026-05-18
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-22810/
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'Joplin.exe'
CommandLine|contains:
- '../'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-22810 | Path Traversal | Joplin application versions prior to 3.5.7 |
| CVE-2026-22810 | Path Traversal | Vulnerable component: OneNote converter in Joplin |
| CVE-2026-22810 | Path Traversal | Attack vector: Malicious .one file with ../../ in embedded file names |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 19, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...