Description
ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from a database directly as the output filename, allowing arbitrary file writes outside the report output directory. An attacker can embed a path traversal payload such as ../../../outside_written.bin in the database to write files to arbitrary locations, potentially achieving code execution by overwriting executable files or configuration.
Published: 2026-04-08
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write with Potential Code Execution
Action: Immediate Patch
AI Analysis

Impact

ALEAPP, a parser for Android log events, has a path traversal flaw in its NQ_Vault.py artifact parser. The vulnerability arises when the parser writes output files using file names pulled directly from a database entry. An attacker can embed a traversal payload like '../../../outside_written.bin' in the database, causing ALEAPP to create or overwrite files outside its intended report directory. This permits arbitrary file writes and can lead to execution of malicious code by replacing executables or altering configuration files.

Affected Systems

The flaw affects all installations of ALEAPP prior to version 3.4.0 compiled from the abrignoni repository. The affected product is ALEAPP, version 3.4.0 and older. As the vulnerability originates in the NQ_Vault.py module, any system relying on that parser for processing NQ Vault artifacts is susceptible.

Risk and Exploitability

The CVSS base score is 8.4, indicating high severity. No EPSS score is reported, and the issue has not been cataloged in the CISA KEV list. The exploit requires an attacker with write access to the database entry or the ability to influence the data used by ALEAPP. Given the potential for arbitrary file writes, a successful exploitation could result in code execution or system compromise. The vector is likely local or restricted to the environment where ALEAPP processes logs, but remote attackers with database access could also leverage it.

Generated by OpenCVE AI on April 8, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ALEAPP to the latest release that includes a fix for the NQ_Vault.py path traversal bug.
  • If a patch is not available, restrict write access to the database entries used by the parser or implement input filtering to reject traversal patterns.
  • Ensure the output directory has filesystem permissions that prevent ALEAPP from writing outside its intended path.
  • Monitor system logs for unexpected file writes or suspicious database entries, and consider setting up alerts for path traversal attempts.

Generated by OpenCVE AI on April 8, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Abrignoni
Abrignoni aleapp
Vendors & Products Abrignoni
Abrignoni aleapp

Wed, 08 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from a database directly as the output filename, allowing arbitrary file writes outside the report output directory. An attacker can embed a path traversal payload such as ../../../outside_written.bin in the database to write files to arbitrary locations, potentially achieving code execution by overwriting executable files or configuration.
Title ALEAPP NQ Vault Artifact Parser Path Traversal
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Abrignoni Aleapp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T16:16:28.120Z

Reserved: 2026-04-08T13:36:46.362Z

Link: CVE-2026-40027

cve-icon Vulnrichment

Updated: 2026-04-09T13:41:20.815Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T22:16:22.957

Modified: 2026-06-17T10:44:37.590

Link: CVE-2026-40027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:55Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')