VYPR
High severity7.3NVD Advisory· Published Apr 8, 2026· Updated Apr 13, 2026

CVE-2026-40027

CVE-2026-40027

Description

ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from a database directly as the output filename, allowing arbitrary file writes outside the report output directory. An attacker can embed a path traversal payload such as ../../../outside_written.bin in the database to write files to arbitrary locations, potentially achieving code execution by overwriting executable files or configuration.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Abrignoni/Aleappreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=3.4.0

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.