Path Traversal Vulnerability in VLC Media Player for Android by VideoLAN
CVE-2026-26228

2.3LOW

Key Information:

Vendor

Videolan
Status
Vlc For Android
Vendor
CVE Published:
26 February 2026

What is CVE-2026-26228?

A path traversal vulnerability exists in VLC Media Player for Android prior to version 3.7.0. The flaw arises in the Remote Access Server's handling of the GET /download request, where the file query parameter is directly concatenated into a filesystem path in the configured download directory. This lack of proper validation allows an authenticated attacker, given network access to the Remote Access Server, to manipulate the request and access files outside the intended directory structure. However, the impact is restricted by the Android application sandbox, typically confining exposure to app-internal files and specific external storage.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

VLC for Android 0 < 3.7.0

References

https://www.videolan.org/vlc/download-android.html
product
https://github.com/videolan/vlc-android/releases/tag/3.7.0
patch
https://www.vulncheck.com/advisories/vlc-for-android-remo...
third-party-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stanislav Fort, Aisle Reserach, www.aisle.com
JSON
.