CVE-2026-8115

Vulnerability

Overview

A path traversal vulnerability (CWE-22) has been identified in gyoridavid short-video-maker, an open-source tool for generating short-form videos. The flaw resides in the REST API component, specifically in the file src/server/routers/rest.ts. The manipulation of the req.params.tmpFile argument (and similarly req.params.fileName) allows an attacker to traverse outside the intended directories when the server streams files via fs.createReadStream [1][4].

Exploitation

The attack is remotely exploitable without authentication. The REST API routes /api/tmp/:tmpFile and /api/music/:fileName concatenate user-supplied route parameters with configured base directories (tempDirPath and musicDirPath). Because the resolved path is not validated to remain within the intended directory, an attacker can supply path traversal sequences (e.g., ../) to read arbitrary files on the server host [4]. A public exploit has been released, increasing the risk of active attacks [3].

Impact

Successful exploitation allows an attacker to read sensitive files outside the intended temp or music directories, potentially including configuration files, source code, or other data stored on the server. The CVSS v3 base score is 5.3 (Medium), reflecting the confidentiality impact without requiring authentication or user interaction [3].

Mitigation

Status

The project maintainer was informed of the vulnerability via an issue report but has not responded or released a fix as of the publication date [4]. Users of versions up to 1.3.4 are advised to apply input validation or restrict access to the affected endpoints until a patch is available.