Description
VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalization or directory containment checks, allowing an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory. The impact is bounded by the Android application sandbox and storage restrictions, typically limiting exposure to app-internal and app-specific external storage.
Published: 2026-02-26
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Path Traversal
Action: Apply Patch
AI Analysis

Impact

VideoLAN VLC for Android models a Remote Access Server that offers a GET /download endpoint. The endpoint builds a local file system path by directly appending the file query parameter into the configured download directory without canonicalization or containment checks. An authenticated attacker who can reach the Remote Access Server can therefore retrieve files outside the intended download folder, although the Android application sandbox limits exposure to the app’s own internal or app‑specific external storage.

Affected Systems

Any Android device running VLC for Android version earlier than 3.7.0 is vulnerable, regardless of other security settings. The vulnerability exists within the Android application bundle and does not affect native binaries or the underlying operating system.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity, and the EPSS <1% suggests a very small likelihood of exploitation. The attack vector requires authentication and direct network access to the Remote Access Server, so only users who can log in to the app and have network reachability to the service can activate the attack. The vulnerability is not listed in CISA’s KEV catalog, so no publicly known exploits have been documented at this time.

Generated by OpenCVE AI on April 16, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to VLC for Android 3.7.0 or later
  • Disable the Remote Access Server feature if it is not needed
  • Configure network firewall rules to restrict access to the Remote Access Server port to trusted hosts only

Generated by OpenCVE AI on April 16, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Videolan vlc
CPEs cpe:2.3:a:videolan:vlc:*:*:*:*:*:*:*:*
Vendors & Products Videolan vlc

Fri, 27 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:L'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Videolan
Videolan vlc For Android
Vendors & Products Videolan
Videolan vlc For Android

Thu, 26 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
Description VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalization or directory containment checks, allowing an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory. The impact is bounded by the Android application sandbox and storage restrictions, typically limiting exposure to app-internal and app-specific external storage.
Title VLC for Android < 3.7.0 Remote Access Path Traversal
Weaknesses CWE-22
CWE-73
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Videolan Vlc Vlc For Android
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T18:01:38.466Z

Reserved: 2026-02-11T20:08:07.946Z

Link: CVE-2026-26228

cve-icon Vulnrichment

Updated: 2026-02-26T18:15:13.382Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T16:24:07.343

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses