Description
A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component downloadApp Endpoint. This manipulation of the argument url causes path traversal. It is possible to initiate the attack remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized. The real existence of this vulnerability is still doubted at the moment. The vendor explains in a reply to the issue report, that "[t]his interface is used for online updates, and the update URL has been statically compiled in the official code repository. Unless users modify the code, the requested address will be the official source address."
Published: 2026-04-27
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unverified Path Traversal Vulnerability
Action: Verify
AI Analysis

Impact

The reported flaw lies in the z.url function of the downloadApp endpoint for HBAI-Ltd Toonflow-app. The function accepts a URL argument that, if improperly handled, could resolve file system paths outside the intended directory, enabling path traversal. However, the CVE description states that the "real existence of this vulnerability is still doubted at the moment" and the vendor has explained that the update URL is statically compiled into the code; unless the code is modified by a user, the request will target the official source address. Accordingly, the existence and exploitable nature of the flaw remain unconfirmed, though the mechanism described suggests a potential for unauthorized file access if the conditions were met.

Affected Systems

All installations of HBAI‑Ltd Toonflow‑app up to version 1.1.1 may contain the flaw described in the CVE. No newer releases have been cited in the vendor data, so the risk profile applies to any deployment within this version range until an official fix is disclosed.

Risk and Exploitability

The CVSS score of 2.3 indicates a low overall risk, and the EPSS score of < 1 % points to a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. While remote exploitation is theoretically possible via the publicly exposed downloadApp endpoint, the vendor’s comments and the high launch cost described in the CVE suggest that successful attacks would be difficult if they exist at all.

Generated by OpenCVE AI on April 29, 2026 at 02:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check that the deployed Toonflow‑app version correlates with the vulnerable range and that no custom code modifications expose a launch URL
  • Restrict the downloadApp endpoint to trusted internal networks or require authentication before allowing access
  • Implement server‑side validation that rejects traversal patterns (e.g., "..") or enforces strict whitelisting of accepted update URLs

Generated by OpenCVE AI on April 29, 2026 at 02:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Hbai-ltd
Hbai-ltd toonflow-app
Vendors & Products Hbai-ltd
Hbai-ltd toonflow-app

Mon, 27 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component downloadApp Endpoint. This manipulation of the argument url causes path traversal. It is possible to initiate the attack remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized. The real existence of this vulnerability is still doubted at the moment. The vendor explains in a reply to the issue report, that "[t]his interface is used for online updates, and the update URL has been statically compiled in the official code repository. Unless users modify the code, the requested address will be the official source address."
Title HBAI-Ltd Toonflow-app downloadApp Endpoint downloadApp.ts z.url path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 4.6, 'vector': 'AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Hbai-ltd Toonflow-app
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T12:40:00.817Z

Reserved: 2026-04-26T08:16:25.266Z

Link: CVE-2026-7085

cve-icon Vulnrichment

Updated: 2026-04-27T12:39:54.207Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T04:16:10.247

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7085

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:45:35Z

Weaknesses