Path Traversal Vulnerability in HBAI-Ltd Toonflow App
CVE-2026-7085

2.3LOW

Key Information:

Vendor: Hbai-ltd
Status: Toonflow-app
Vendor: CVE Published:; 27 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-7085?

A vulnerability exists in the HBAI-Ltd Toonflow-app affecting the z.url functionality in the downloadApp endpoint, which can be exploited to achieve path traversal. This flaw allows an attacker to potentially manipulate the URL parameter exploited remotely. The complexity of this attack is high due to the nature of the exploit, which has been publicly disclosed, although actual exploitation remains in question according to the vendor's response. Notably, the relevant update URL is hardcoded in the official repository, limiting the scope of possible exploitation unless the code is altered by users.

Affected Version(s)

Toonflow-app 1.1.0

Toonflow-app 1.1.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-7085 - Proof of Concept

References

https://vuldb.com/vuln/359660

vdb-entrytechnical-description

https://vuldb.com/vuln/359660/cti

signaturepermissions-required

https://vuldb.com/submit/799583

third-party-advisory

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 27, 2026
👾
Exploit known to exist
Apr 27, 2026
Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 26, 2026

Credit

Yu Bao (VulDB User)

VulDB CNA Team

CVE-2026-7085 Data

JSON

Hbai-ltd