QwikSec

Security Database

CVE

CWE

Training

CVE-2026-40027

Published: Apr 8, 2026

Modified: Apr 9, 2026

PUBLISHED

CVSS v3.1

7.3

HIGH

Description

ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from a database directly as the output filename, allowing arbitrary file writes outside the report output directory. An attacker can embed a path traversal payload such as ../../../outside_written.bin in the database to write files to arbitrary locations, potentially achieving code execution by overwriting executable files or configuration.

Vendor	Product	Versions
abrignoni	ALEAPP	affected `0 - <= 3.4.0` unaffected `0cafd8fe0027663420eb3d0fa821b2d1a713880d`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

References

product

patch

Mobasi Sentinel Vulnerability Index

vendor-advisory

VulnCheck Advisory: ALEAPP NQ Vault Artifact Parser Path Traversal

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.