Streambert
Monthly
Arbitrary file write in Streambert Electron desktop app (versions ≤2.4.0) allows remote attackers to drop files anywhere the app process can write by serving a malicious subtitle ZIP archive. The subtitle extraction routine concatenates raw archive entry names to the destination path without sanitization, enabling classic Zip Slip path traversal that can be escalated to code execution by overwriting startup or configuration files. No public exploit identified at time of analysis, but the upstream advisory (GHSA-3q2x-3q9p-qwfc) and fix in v2.5.0 confirm the issue.
Arbitrary file write in Streambert Electron desktop app (versions ≤2.4.0) allows remote attackers to drop files anywhere the app process can write by serving a malicious subtitle ZIP archive. The subtitle extraction routine concatenates raw archive entry names to the destination path without sanitization, enabling classic Zip Slip path traversal that can be escalated to code execution by overwriting startup or configuration files. No public exploit identified at time of analysis, but the upstream advisory (GHSA-3q2x-3q9p-qwfc) and fix in v2.5.0 confirm the issue.