Skip to main content

Streambert CVE-2026-48055

| EUVDEUVD-2026-37500 CRITICAL
Improper Input Validation (CWE-20)
2026-06-16 GitHub_M
10.0
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
vuln.today AI
8.3 HIGH

Network-delivered archive but victim must trigger subtitle extraction (UI:R); no auth needed; arbitrary file write yields high integrity/availability and limited confidentiality via dropped code, scope unchanged within user context.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 16, 2026 - 23:28 vuln.today
Analysis Generated
Jun 16, 2026 - 23:28 vuln.today
Patch available
Jun 16, 2026 - 23:02 EUVD

DescriptionCVE.org

Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle extraction logic. The application does not sanitize archive entry filenames during extraction, allowing a malicious archive to perform path traversal and write arbitrary files to the host filesystem. The subtitle extraction process downloads a ZIP archive and extracts its entries. The destination file path is constructed by concatenating the raw archive entry name (extracted.name) directly to the temporary directory path. If a malicious ZIP archive containing directory traversal sequences is processed, it escapes the temporary directory boundaries. The application then writes the extracted payload anywhere on the host filesystem subject to the application's current write permissions. This issue has been fixed in version 2.5.0.

AnalysisAI

Arbitrary file write in Streambert Electron desktop app (versions ≤2.4.0) allows remote attackers to drop files anywhere the app process can write by serving a malicious subtitle ZIP archive. The subtitle extraction routine concatenates raw archive entry names to the destination path without sanitization, enabling classic Zip Slip path traversal that can be escalated to code execution by overwriting startup or configuration files. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to attacker-controlled media
Delivery
Client fetches malicious subtitle ZIP
Exploit
Extractor processes traversal entry names
Execution
Payload written to autostart/config path
Persist
User login or app restart executes payload
Impact
Code execution as the desktop user

Vulnerability AssessmentAI

Exploitation Requires the victim to initiate subtitle extraction in Streambert ≤2.4.0 against an attacker-controlled subtitle archive - meaning the attacker must either compromise/spoof a subtitle provider the client queries, run a man-in-the-middle on the subtitle download, or trick the user into selecting a malicious media source whose subtitle URL they control. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H) appears overstated for the described attack: exploitation requires the victim to trigger subtitle extraction for an attacker-controlled media/subtitle source, which in a desktop client is effectively user-driven rather than truly unauthenticated remote. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a media entry whose subtitle source returns a ZIP archive containing an entry named like `../../../../Users/victim/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/payload.exe`. When the victim plays the title in Streambert ≤2.4.0, the client fetches and extracts the archive, dropping the payload into the autostart folder; on the next login the attacker gains code execution as the user. …
Remediation Upgrade to Streambert 2.5.0 or later, released at https://github.com/truelockmc/streambert/releases/tag/2.5.0, which contains the fix credited to @jeremyHOT and @truelockmc per the advisory at https://github.com/truelockmc/streambert/security/advisories/GHSA-3q2x-3q9p-qwfc. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Streambert versions ≤2.4.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48055 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy