CVE-2026-26228 LOW

CVE-2026-26228: VLC for Android < 3.7.0 Remote Access Path Traversal

Vendor Videolan
Product VLC for Android
Weakness CWE-22 · Path traversal
Published February 26, 2026
Last update March 5, 2026

CVSS base score

2.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalization or directory containment checks, allowing an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory. The impact is bounded by the Android application sandbox and storage restrictions, typically limiting exposure to app-internal and app-specific external storage.

Key dates

02Disclosure timeline

February 26, 2026 CVE published
March 5, 2026 Record updated