CVE-2026-26228
MediumCVSS 4.9Exploitation Probability (EPSS)
Low risk19th percentile - higher than 19% of all known CVEs
Summary
A path traversal vulnerability was found in VideoLAN VLC for Android prior to version 3.7.0 in the Remote Access Server. The vulnerability exists in the authenticated endpoint GET /download, where the file query parameter is concatenated into a filesystem path without canonicalization or directory containment checks. This allows an authenticated attacker with network access to the Remote Access Server to request files outside the intended directory.
Risk Assessment
The risk for the organization is the potential unauthorized reading of application files and data stored in app-specific external storage, which could lead to sensitive information disclosure. However, the impact is limited by Android's application sandbox and storage restrictions.
Recommendation
It is recommended to immediately update VideoLAN VLC for Android to version 3.7.0 or later, which includes a fix for this vulnerability. Additionally, restrict network access to the Remote Access Server to trusted users only.
Original NVD description (English source)
VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalization or directory containment checks, allowing an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory. The impact is bounded by the Android application sandbox and storage restrictions, typically limiting exposure to app-internal and app-specific external storage.

