Path Traversal: '../filedir'

CVE-2026-22810

Low

0/10

Summary

A path traversal vulnerability in the OneNote importer allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file. This issue affects versions prior to 3.5.7.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-24 - Path Traversal: '../filedir'

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

References

Advisory

Advisory Timeline

Published May 18, 2026

Path Traversal: '../filedir'

CVE-2026-22810

Summary

CWE-24 - Path Traversal: '../filedir'

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS