CVE-2026-26228

MEDIUM 4.9

VLC for Android < 3.7.0 Remote Access Path Traversal

CVSS Score

4.9

EPSS Score

0.0%

EPSS Percentile

0th

VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalization or directory containment checks, allowing an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory. The impact is bounded by the Android application sandbox and storage restrictions, typically limiting exposure to app-internal and app-specific external storage.

CWE	CWE-22 CWE-73
Vendor	videolan
Product	vlc for android
Published	Feb 26, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for videolan vlc for android

Be the first to know when new medium vulnerabilities affecting videolan vlc for android are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

Low

Affected Versions

VideoLAN / VLC for Android

0 < 3.7.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

videolan.org: https://www.videolan.org/vlc/download-android.html github.com: https://github.com/videolan/vlc-android/releases/tag/3.7.0 vulncheck.com: https://www.vulncheck.com/advisories/vlc-for-android-remote-access-path-traversal

Credits

Stanislav Fort, Aisle Research, www.aisle.com