Path Traversal Vulnerability in ALEAPP Android Logs Events and Protobuf Parser
CVE-2026-40027

8.4HIGH

Key Information:

Vendor: Abrignoni
Status: Aleapp
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-40027?

ALEAPP, specifically in version 3.4.0, has a path traversal vulnerability in the NQ_Vault.py artifact parser. This issue arises from the use of attacker-controlled file_name_from values from a database as the output filename, allowing for arbitrary file writes outside the designated report output directory. An attacker can exploit this vulnerability by embedding a path traversal payload, enabling them to write files to undesired locations. This poses significant risks, such as potential code execution through overwriting executable files or configuration settings.

Affected Version(s)

ALEAPP 0 <= 3.4.0

ALEAPP 0cafd8fe0027663420eb3d0fa821b2d1a713880d

References

https://github.com/abrignoni/aleapp/pull/669

product

https://github.com/abrignoni/ALEAPP/commit/0cafd8fe002766...

patch

https://mobasi.ai/sentinel

vendor-advisory

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

Mobasi Security Team

CVE-2026-40027 Data

JSON