CVE-2019-10038

HIGH

Evernote 7.9 - Arbitrary Program Execution via Local Executable Reference

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-10038. PoCs published by Dhiraj Mishra.

AI-analyzed exploit summary This is a writeup describing a local file path traversal vulnerability in Evernote 7.9 for macOS, allowing arbitrary program execution via crafted URIs in notes. The vulnerability can be exploited by sending malicious .enex files to victims.

Description

Evernote 7.9 on macOS allows attackers to execute arbitrary programs by embedding a reference to a local executable file such as the /Applications/Calculator.app/Contents/MacOS/Calculator file.

Exploits (1)

exploitdb WRITEUP

by Dhiraj Mishra · textlocalmacos

https://www.exploit-db.com/exploits/46724

View Code ZIP pw:eip

This is a writeup describing a local file path traversal vulnerability in Evernote 7.9 for macOS, allowing arbitrary program execution via crafted URIs in notes. The vulnerability can be exploited by sending malicious .enex files to victims.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Evernote 7.9 for macOS

No auth needed

Prerequisites: Victim must open a crafted .enex file or note containing a malicious URI

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1204 - User Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Broken Link x_refsource_misc

https://drive.google.com/file/d/1cmWixK1vAh7oZ2y3Y3ZtVeSoTRp8c1Ts/view?usp=sharing

Vendor Advisory x_refsource_misc

https://evernote.com/security/updates

Third Party Advisory x_refsource_misc

https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html

Scores

CVSS v3 7.8

EPSS 0.0131

EPSS Percentile 66.8%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

evernote/evernote 7.9

Published May 31, 2019

Tracked Since Feb 18, 2026