Medium severity4.9NVD Advisory· Published Feb 26, 2026· Updated Apr 15, 2026

CVE-2026-26228

Description

VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalization or directory containment checks, allowing an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory. The impact is bounded by the Android application sandbox and storage restrictions, typically limiting exposure to app-internal and app-specific external storage.

Affected products

VideoLAN/Vlc Androidreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/videolan/vlc-android/releases/tag/3.7.0nvd
www.videolan.org/vlc/download-android.htmlnvd
www.vulncheck.com/advisories/vlc-for-android-remote-access-path-traversalnvd

News mentions

No linked articles in our index yet.

cvss	0.319
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000