Skip to main content

4ga Boards EUVDEUVD-2026-25613

| CVE-2026-41419 HIGH
Path Traversal (CWE-22)
2026-04-24 GitHub_M
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Patch released
Apr 27, 2026 - 19:10 nvd
Patch available
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
Patch available
Apr 24, 2026 - 21:02 EUVD
Analysis Generated
Apr 24, 2026 - 19:45 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 19:15 euvd
EUVD-2026-25613
Analysis Generated
Apr 24, 2026 - 19:15 vuln.today
CVE Published
Apr 24, 2026 - 18:50 nvd
HIGH 7.6

DescriptionGitHub Advisory

4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbitrary host files as board attachments during BOARDS archive import. Once imported, the file can be downloaded through the normal application interface, resulting in unauthorized local file disclosure. This vulnerability is fixed in 3.3.5.

AnalysisAI

Path traversal in 4ga Boards before 3.3.5 allows authenticated users with board import privileges to force the server to read and expose arbitrary local files as board attachments during BOARDS archive import. Attackers can then download sensitive host files (configuration files, credentials, application source code) through the normal download interface. CVSS score of 7.6 reflects high confidentiality impact with low integrity/availability impact. No public exploit code or active exploitation confirmed at time of analysis, though the attack technique is straightforward for authenticated insiders.

Technical ContextAI

4ga Boards is a realtime project management application. The vulnerability stems from insufficient path validation (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) in the BOARDS archive import functionality. When processing imported archives containing attachment references, the application fails to sanitize file paths, allowing directory traversal sequences (e.g., '../../../etc/passwd'). The server processes these malicious paths during import, reads files from arbitrary filesystem locations, and stores them as legitimate board attachments. This converts a path traversal flaw into a persistent file disclosure mechanism, as the exfiltrated files become accessible through the application's standard attachment download API without requiring repeated exploitation.

RemediationAI

Upgrade to 4ga Boards version 3.3.5 or later, which contains the vendor-released patch for this path traversal vulnerability. The fix is confirmed in the GitHub security advisory at https://github.com/RARgames/4gaBoards/security/advisories/GHSA-rrjq-7x8g-cmgm. If immediate patching is not feasible, implement temporary compensating controls: restrict board import privileges to only highly trusted administrators (reduces attack surface but does not eliminate risk from compromised admin accounts), run the 4ga Boards application process with minimal filesystem permissions using a dedicated service account with read access only to required directories (limits blast radius of file disclosure), deploy mandatory code review or automated scanning of all BOARDS archives before import (adds operational overhead and may miss obfuscated traversal sequences), and monitor server logs for import operations containing directory traversal patterns like '../' in attachment paths (detection-only control, does not prevent exploitation). These workarounds provide defense-in-depth but do not fully mitigate the vulnerability; upgrading to 3.3.5 is the only complete solution.

Share

EUVD-2026-25613 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy