Description
A vulnerability was identified in HBAI-Ltd Toonflow-app up to 1.1.1. This issue affects the function updateStoryboardUrl of the file replaceUrl.ts of the component Storyboard Export. Such manipulation of the argument url leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is still unclear if this vulnerability genuinely exists. The vendor explains in a reply to the issue report, that "[t]he URL of this interface is designed to only be a local address or a trusted domain address configured in docker, and will not contain malicious links, unless the user modifies the code causing unexpected situations."
Published: 2026-04-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Path Traversal via updateStoryboardUrl
Action: Mitigate
AI Analysis

Impact

The updateStoryboardUrl function in replaceUrl.ts allows manipulation of the url argument, leading to a path traversal vulnerability that could expose or alter files outside the intended directory. This flaw can be triggered remotely by supplying crafted URLs, and a publicly available exploit exists, though the vendor notes uncertainty about its efficacy in production. The interface is intended to receive only local or docker‑configured addresses, so the risk is highest if the code is modified or the endpoint is exposed to untrusted input.

Affected Systems

HBAI‑Ltd Toonflow‑app versions up to 1.1.1 are affected. No other versions or products are specifically listed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS shows an exploitation probability below 1%, and the vulnerability is not listed in CISA KEV, suggesting limited widespread exploitation. The attack vector is remotely accessible via the exposed updateStoryboardUrl endpoint; an attacker can use unsanitized URLs to read or write arbitrary files, potentially compromising confidentiality or enabling further attacks if the application runs with elevated privileges.

Generated by OpenCVE AI on April 28, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the updateStoryboardUrl endpoint to trusted internal networks or localhost only, blocking remote access from untrusted clients.
  • Implement strict input validation or a whitelist that accepts only local or docker‑configured domain URLs before the function processes them.
  • If the endpoint is not required in your deployment, disable or remove it entirely.

Generated by OpenCVE AI on April 28, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Hbai-ltd
Hbai-ltd toonflow-app
Vendors & Products Hbai-ltd
Hbai-ltd toonflow-app

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in HBAI-Ltd Toonflow-app up to 1.1.1. This issue affects the function updateStoryboardUrl of the file replaceUrl.ts of the component Storyboard Export. Such manipulation of the argument url leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is still unclear if this vulnerability genuinely exists. The vendor explains in a reply to the issue report, that "[t]he URL of this interface is designed to only be a local address or a trusted domain address configured in docker, and will not contain malicious links, unless the user modifies the code causing unexpected situations."
Title HBAI-Ltd Toonflow-app Storyboard Export replaceUrl.ts updateStoryboardUrl path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Hbai-ltd Toonflow-app
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T11:22:34.836Z

Reserved: 2026-04-26T08:16:28.410Z

Link: CVE-2026-7086

cve-icon Vulnrichment

Updated: 2026-04-27T11:22:31.446Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T06:16:03.223

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7086

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:00:14Z

Weaknesses