Path Traversal Vulnerability in Toonflow App by HBAI-Ltd
CVE-2026-7086

5.3MEDIUM

Key Information:

Vendor

Hbai-ltd

Status
Toonflow-app
Vendor
CVE Published:
27 April 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-7086?

A security vulnerability has been detected in the Toonflow app by HBAI-Ltd, specifically affecting the updateStoryboardUrl function within the replaceUrl.ts file. This flaw permits unauthorized attackers to potentially exploit path traversal, allowing access to file system paths that should remain secured. As the URL manipulation is possible, remote exploitation of this vulnerability has been deemed feasible. Publicly available exploits can be utilized to leverage this weakness. However, the vendor has indicated that the interface URL is designed to allow only local or trusted domain addresses; any malicious activity would stem from user-modified code. Users should take immediate action to review their configurations and update to the latest version to mitigate risks.

Affected Version(s)

Toonflow-app 1.1.0

Toonflow-app 1.1.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-7086 - Proof of Concept

References

https://vuldb.com/vuln/359661
vdb-entrytechnical-description
https://vuldb.com/vuln/359661/cti
signaturepermissions-required
https://vuldb.com/submit/799584
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yu-Bao (VulDB User)
VulDB CNA Team
.