Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from a database directly as the output filename, allowing arbitrary file writes outside the report output directory. An attacker can embed a path traversal payload such as ../../../outside_written.bin in the database to write files to arbitrary locations, potentially achieving code execution by overwriting executable files or configuration.
AnalysisAI
Path traversal in ALEAPP (Android Logs Events And Protobuf Parser) 3.4.0 and earlier enables arbitrary file writes outside the report directory through malicious NQ_Vault.py artifact parser database entries. Attackers embedding traversal sequences (e.g., ../../../target.bin) in file_name_from database values can overwrite system executables or configuration files, achieving local code execution. Exploitation requires user interaction to process a crafted Android database artifact. CVSS:4.0 base score 8.4 (High). No public exploit identified at time of analysis.
Technical ContextAI
Root cause: CWE-22 path traversal via unsanitized database field usage as filesystem output path. NQ_Vault.py parser directly uses attacker-controlled file_name_from column values from SQLite databases as output filenames without path validation, enabling directory traversal. CVSSv4 AV:L/PR:N/UI:P indicates local attack surface requiring user to process malicious artifact file.
RemediationAI
Upstream fix available via GitHub commit 0cafd8fe0027663420eb3d0fa821b2d1a713880d addressing path traversal in NQ_Vault.py parser; released patched version not independently confirmed. Apply patch from https://github.com/abrignoni/ALEAPP/commit/0cafd8fe0027663420eb3d0fa821b2d1a713880d or merge pull request 669 (https://github.com/abrignoni/aleapp/pull/669). Consult vendor advisory at https://mobasi.ai/sentinel and VulnCheck analysis at https://www.vulncheck.com/advisories/aleapp-nq-vault-artifact-parser-path-traversal for deployment guidance. Workaround: restrict ALEAPP execution to isolated sandbox environments with limited filesystem write permissions until patched version deployed. Validate all database artifact sources and implement filesystem access controls preventing overwrites of critical system paths.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20765
GHSA-wg7x-9f3g-8524