CVE-2026-41419 PUBLISHED

4ga Boards: Import Path Traversal Leads to Arbitrary File Read

Assigner: GitHub_M
Reserved: 20.04.2026 Published: 24.04.2026 Updated: 24.04.2026

4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbitrary host files as board attachments during BOARDS archive import. Once imported, the file can be downloaded through the normal application interface, resulting in unauthorized local file disclosure. This vulnerability is fixed in 3.3.5.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CVSS Score: 7.6

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	RARgames
Product	4gaBoards
Versions	Version < 3.3.5 is affected

References

https://github.com/RARgames/4gaBoards/security/advisories/GHSA-rrjq-7x8g-cmgm

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE