CVE-2026-26228

LOW EPSS 19.2%

Published Feb 26, 20264mo ago · Modified Jun 17, 20261w ago

2.3 CVSS 4.0

Low

Published Feb 26, 2026 4mo ago

Last Modified Jun 17, 2026 1w ago

Description

VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalization or directory containment checks, allowing an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory. The impact is bounded by the Android application sandbox and storage restrictions, typically limiting exposure to app-internal and app-specific external storage.

CVSS Details

Base Score

2.3

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

19.2% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt

CWE-73

References 3

github.com https://github.com/videolan/vlc-android/releases/tag/3.7.0
videolan.org https://www.videolan.org/vlc/download-android.html
vulncheck.com https://www.vulncheck.com/advisories/vlc-for-android-remote-access-path-traversal

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.