Description
4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbitrary host files as board attachments during BOARDS archive import. Once imported, the file can be downloaded through the normal application interface, resulting in unauthorized local file disclosure. This vulnerability is fixed in 3.3.5.
Published: 2026-04-24
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Local File Disclosure
Action: Immediate Patch
AI Analysis

Impact

A path‑traversal flaw in 4gaBoards allows an authenticated user with board import privileges to instruct the server to ingest arbitrary files from the host system during a board archive import. Once the file is imported as an attachment, it becomes downloadable through the standard application interface, resulting in unauthorized disclosure of sensitive local files. The vulnerability is limited to accounts that have permission to import boards, and it does not provide remote code execution or elevation beyond that access.

Affected Systems

RAGames 4gaBoards versions earlier than 3.3.5 are affected. The vulnerability exists in the import routine of the board archive feature; no other versions or vendors are currently listed as impacted.

Risk and Exploitability

The CVSS score is 7.6, indicating a high severity of confidentiality impact. The EPSS score is below 1%, implying a low likelihood of exploitation. This vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user with board‑import privileges; once such a user practices a traversal attack, they can read any accessible file on the host and then retrieve it via the normal download mechanism.

Generated by OpenCVE AI on April 28, 2026 at 05:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 4gaBoards 3.3.5 or later update
  • Restrict board import privileges to only accounts that require them
  • Audit existing board imports for sensitive content and remove any that should not be exposed

Generated by OpenCVE AI on April 28, 2026 at 05:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Rargames
Rargames 4gaboards
Vendors & Products Rargames
Rargames 4gaboards

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description 4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbitrary host files as board attachments during BOARDS archive import. Once imported, the file can be downloaded through the normal application interface, resulting in unauthorized local file disclosure. This vulnerability is fixed in 3.3.5.
Title 4ga Boards: Import Path Traversal Leads to Arbitrary File Read
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Rargames 4gaboards
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T13:35:11.635Z

Reserved: 2026-04-20T15:32:33.813Z

Link: CVE-2026-41419

cve-icon Vulnrichment

Updated: 2026-04-27T13:09:14.509Z

cve-icon NVD

Status : Deferred

Published: 2026-04-24T19:17:13.603

Modified: 2026-04-27T19:10:45.587

Link: CVE-2026-41419

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:00:09Z

Weaknesses