Evernote has fixed a vulnerability that could have allowed an attacker to run malicious code on a victim’s computer.
Dhiraj Mishra, a security researcher based in Dubai, reported the bug to Evernote on March 17. In a blog post showing his proof-of-concept, Mishra showed TechCrunch that a user only had to click a link masked as a web address, which would open a locally stored app or file unhindered and without warning.
Evernote spokesperson Shelby Busen confirmed the bug had been fixed, and said the company “appreciates” the contributions from security researchers.
MITRE, the vulnerability database keeper, issued an advisory under CVE-2019-10038.
The bug could allow an attacker to remotely run malicious commands on any macOS computer with Evernote installed. Since the fix went into effect, Evernote now warns users when they click a link that opens a file on their Mac.
A similar local file path traversal bug was revealed Tuesday in Electronic Arts’ Origin gaming client.
Evernote was forced to reset close to 50 million passwords after a breach in 2013, and later caused controversy by changing its privacy policy that allowed employees to access user data. The company later walked back the policy change after user complaints.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Security flaw in EA’s Origin client exposed gamers to hackers
