Skip to main content

Google CVE-2026-40027

| EUVDEUVD-2026-20765 HIGH
Path Traversal (CWE-22)
2026-04-08 VulnCheck GHSA-wg7x-9f3g-8524
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 08, 2026 - 22:01 euvd
EUVD-2026-20765
Analysis Generated
Apr 08, 2026 - 22:01 vuln.today
Patch released
Apr 08, 2026 - 22:01 nvd
Patch available
CVE Published
Apr 08, 2026 - 21:35 nvd
HIGH 8.4

DescriptionCVE.org

ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from a database directly as the output filename, allowing arbitrary file writes outside the report output directory. An attacker can embed a path traversal payload such as ../../../outside_written.bin in the database to write files to arbitrary locations, potentially achieving code execution by overwriting executable files or configuration.

AnalysisAI

Path traversal in ALEAPP (Android Logs Events And Protobuf Parser) 3.4.0 and earlier enables arbitrary file writes outside the report directory through malicious NQ_Vault.py artifact parser database entries. Attackers embedding traversal sequences (e.g., ../../../target.bin) in file_name_from database values can overwrite system executables or configuration files, achieving local code execution. Exploitation requires user interaction to process a crafted Android database artifact. CVSS:4.0 base score 8.4 (High). No public exploit identified at time of analysis.

Technical ContextAI

Root cause: CWE-22 path traversal via unsanitized database field usage as filesystem output path. NQ_Vault.py parser directly uses attacker-controlled file_name_from column values from SQLite databases as output filenames without path validation, enabling directory traversal. CVSSv4 AV:L/PR:N/UI:P indicates local attack surface requiring user to process malicious artifact file.

RemediationAI

Upstream fix available via GitHub commit 0cafd8fe0027663420eb3d0fa821b2d1a713880d addressing path traversal in NQ_Vault.py parser; released patched version not independently confirmed. Apply patch from https://github.com/abrignoni/ALEAPP/commit/0cafd8fe0027663420eb3d0fa821b2d1a713880d or merge pull request 669 (https://github.com/abrignoni/aleapp/pull/669). Consult vendor advisory at https://mobasi.ai/sentinel and VulnCheck analysis at https://www.vulncheck.com/advisories/aleapp-nq-vault-artifact-parser-path-traversal for deployment guidance. Workaround: restrict ALEAPP execution to isolated sandbox environments with limited filesystem write permissions until patched version deployed. Validate all database artifact sources and implement filesystem access controls preventing overwrites of critical system paths.

Share

CVE-2026-40027 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy