CVE-2026-40027
Received Received - Intake
Path Traversal in ALEAPP NQ_Vault.py Enables Arbitrary File Write

Publication date: 2026-04-08

Last updated on: 2026-04-08

Assigner: VulnCheck

Description
ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from a database directly as the output filename, allowing arbitrary file writes outside the report output directory. An attacker can embed a path traversal payload such as ../../../outside_written.bin in the database to write files to arbitrary locations, potentially achieving code execution by overwriting executable files or configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40027
EUVD
EUVD-2026-20765
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aleapp aleapp to 3.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ALEAPP (Android Logs Events And Protobuf Parser) through version 3.4.0, specifically in the NQ_Vault.py artifact parser. It involves a path traversal issue where the parser uses attacker-controlled file_name_from values from a database directly as the output filename. This allows an attacker to craft a path traversal payload (e.g., ../../../outside_written.bin) to write files outside the intended report output directory.

By exploiting this, an attacker can write arbitrary files to locations outside the designated directory, potentially overwriting executable files or configuration files.

Impact Analysis

The vulnerability can lead to arbitrary file writes outside the intended directory, which may allow an attacker to overwrite critical executable or configuration files.

This could result in code execution, compromising the security and integrity of the affected system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40027. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart