Description
Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle extraction logic. The application does not sanitize archive entry filenames during extraction, allowing a malicious archive to perform path traversal and write arbitrary files to the host filesystem. The subtitle extraction process downloads a ZIP archive and extracts its entries. The destination file path is constructed by concatenating the raw archive entry name (extracted.name) directly to the temporary directory path. If a malicious ZIP archive containing directory traversal sequences is processed, it escapes the temporary directory boundaries. The application then writes the extracted payload anywhere on the host filesystem subject to the application's current write permissions. This issue has been fixed in version 2.5.0.
Published: 2026-06-16
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Streambert’s subtitle extraction process does not sanitize archive entry filenames, creating a classic Zip Slip condition. A crafted ZIP that contains directory traversal sequences can override the temporary directory boundary and write files anywhere on the host filesystem, subject to the privileges of the running application. Such arbitrary file writes damage integrity, allow modification or creation of critical system files, and can lead to full compromise of the host if the application runs with elevated rights.

Affected Systems

The flaw exists in Truelockmc Streambert versions 2.4.0 and earlier, all of which are cross‑platform Electron desktop applications. The issue was remedied in release 2.5.0, which can be downloaded from the project’s GitHub releases page.

Risk and Exploitability

The CVSS score of 10 indicates the highest severity, although the EPSS score of <1% suggests a currently low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must supply a malicious ZIP archive to the subtitle extraction routine, which could be achieved through social engineering, spear‑phishing, or exploiting abnormal subtitle downloads. Because the extracted files are written with the application's own permissions, an attacker could overwrite executables or inject malicious payloads, potentially leading to remote code execution on the victim’s machine.

Generated by OpenCVE AI on June 17, 2026 at 19:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Streambert version 2.5.0 or later, which removes the untrusted extraction path.
  • If upgrading is impossible, run the application under the least‑privileged user context or employ a sandbox environment to limit filesystem write access.
  • Apply routine antivirus or endpoint detection solutions to scan subtitle ZIP archives before they are processed by the application, blocking known malicious payloads.

Generated by OpenCVE AI on June 17, 2026 at 19:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Truelockmc
Truelockmc streambert
Vendors & Products Truelockmc
Truelockmc streambert

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle extraction logic. The application does not sanitize archive entry filenames during extraction, allowing a malicious archive to perform path traversal and write arbitrary files to the host filesystem. The subtitle extraction process downloads a ZIP archive and extracts its entries. The destination file path is constructed by concatenating the raw archive entry name (extracted.name) directly to the temporary directory path. If a malicious ZIP archive containing directory traversal sequences is processed, it escapes the temporary directory boundaries. The application then writes the extracted payload anywhere on the host filesystem subject to the application's current write permissions. This issue has been fixed in version 2.5.0.
Title Streambert: Arbitrary File Write (Zip Slip) via Subtitle Extraction
Weaknesses CWE-20
CWE-22
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H'}


Subscriptions

Truelockmc Streambert
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-17T13:22:28.962Z

Reserved: 2026-05-20T18:15:53.579Z

Link: CVE-2026-48055

cve-icon Vulnrichment

Updated: 2026-06-17T13:21:19.185Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:18Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')