Skip to main content

Streambert

1 CVEs product

Monthly

CVE-2026-48055 CRITICAL PATCH Act Now

Arbitrary file write in Streambert Electron desktop app (versions ≤2.4.0) allows remote attackers to drop files anywhere the app process can write by serving a malicious subtitle ZIP archive. The subtitle extraction routine concatenates raw archive entry names to the destination path without sanitization, enabling classic Zip Slip path traversal that can be escalated to code execution by overwriting startup or configuration files. No public exploit identified at time of analysis, but the upstream advisory (GHSA-3q2x-3q9p-qwfc) and fix in v2.5.0 confirm the issue.

Path Traversal Streambert
NVD GitHub
CVSS 3.1
10.0
EPSS
0.8%
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Arbitrary file write in Streambert Electron desktop app (versions ≤2.4.0) allows remote attackers to drop files anywhere the app process can write by serving a malicious subtitle ZIP archive. The subtitle extraction routine concatenates raw archive entry names to the destination path without sanitization, enabling classic Zip Slip path traversal that can be escalated to code execution by overwriting startup or configuration files. No public exploit identified at time of analysis, but the upstream advisory (GHSA-3q2x-3q9p-qwfc) and fix in v2.5.0 confirm the issue.

Path Traversal Streambert
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy