CVE-2026-26228

VLC for Android < 3.7.0 Remote Access Path Traversal

Assigner: VulnCheck
Reserved: 11.02.2026 Published: 26.02.2026 Updated: 26.02.2026

VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalization or directory containment checks, allowing an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory. The impact is bounded by the Android application sandbox and storage restrictions, typically limiting exposure to app-internal and app-specific external storage.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 2.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	Low	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	VideoLAN
Product	VLC for Android
Versions	Default: unaffected affected from 0 to 3.7.0 (excl.)

Vendor

VideoLAN

Product

VLC for Android

Versions

Default: unaffected

affected from 0 to 3.7.0 (excl.)

Credits

Stanislav Fort, Aisle Reserach, www.aisle.com finder

References

Problem Types