Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
VLC for Android Prior to 3.7.0 Allows Hackers to Access Internal Files
CVE-2026-26228
Summary
A security issue in VLC for Android allows an attacker who has access to the app's server to access files they shouldn't be able to. This is a concern because it could lead to unauthorized access to sensitive data. To fix this, update VLC for Android to version 3.7.0 or later.
Original title
VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is...
Original description
VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalization or directory containment checks, allowing an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory. The impact is bounded by the Android application sandbox and storage restrictions, typically limiting exposure to app-internal and app-specific external storage.
nvd CVSS3.1
4.9
nvd CVSS4.0
2.3
Vulnerability type
CWE-22
Path Traversal
CWE-73
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026