SCA: security update for @joplin/onenote-converter (GHSA-gcmj-c9gg-9vh6)

high Tenable Self-Hosted Container Security Plugin ID 441992

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks.
Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting
arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before
writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that
includes file names containing ../../, that are then interpreted as part of the target path when
extracting attachments from the .one file. This issue has been patched in version 3.5.7. (CVE-2026-22810)

Solution

Update the @joplin/onenote-converter library and its related packages to version 3.5.7 or later.

See Also

https://github.com/advisories/GHSA-gcmj-c9gg-9vh6

Plugin Details

Severity: High

ID: 441992

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 5/15/2026

Updated: 6/19/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.96

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-22810

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/15/2026

Vulnerability Publication Date: 5/15/2026

Reference Information

CVE: CVE-2026-22810

cwe: CWE-24