CVE-2026-7086
Received Received - Intake
Path Traversal in Toonflow-app Storyboard Export Component

Publication date: 2026-04-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in HBAI-Ltd Toonflow-app up to 1.1.1. This issue affects the function updateStoryboardUrl of the file replaceUrl.ts of the component Storyboard Export. Such manipulation of the argument url leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is still unclear if this vulnerability genuinely exists. The vendor explains in a reply to the issue report, that "[t]he URL of this interface is designed to only be a local address or a trusted domain address configured in docker, and will not contain malicious links, unless the user modifies the code causing unexpected situations."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7086
EUVD
EUVD-2026-25770
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hbai-ltd toonflow-app to 1.1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7086 is a path traversal vulnerability in the Toonflow App (version 1.1.1 and earlier) affecting the storyboard export feature. It occurs because the application fails to properly validate and sanitize file path inputs in the updateStoryboardUrl function. Specifically, the replaceUrl() function attempts to parse URLs but returns raw input if parsing fails, allowing malicious path traversal strings like "../db2.sqlite" to be stored and later used without proper checks.

An attacker with authentication can inject a malicious file path that escapes the intended directory and then trigger the exportImage endpoint to download a ZIP archive containing arbitrary files from the server. This includes sensitive files such as the application's SQLite database, which holds plaintext admin credentials and JWT signing secrets.

Impact Analysis

This vulnerability can have severe impacts including:

  • Complete exfiltration of the application's SQLite database, exposing all stored data.
  • Theft of plaintext user passwords and JWT signing secrets, enabling attackers to forge admin tokens.
  • Exposure of all configured API keys for integrated AI providers.
  • Arbitrary file read capability on any file accessible by the Node.js process, including sensitive system files like /etc/passwd.
  • Full account takeover and potential further compromise of the application environment.
Detection Guidance

This vulnerability can be detected by attempting to exploit the path traversal flaw via the updateStoryboardUrl endpoint and observing if arbitrary files can be read from the server.

Suggested detection steps include:

  • Authenticate and obtain a valid JWT token for the Toonflow app.
  • Send a request to the updateStoryboardUrl endpoint injecting a path traversal payload such as '../db2.sqlite' in the filePath parameter.
  • Trigger the exportImage endpoint to download the ZIP archive containing files referenced by the storyboard.
  • Analyze the ZIP archive to check if sensitive files like the SQLite database or system files (e.g., /etc/passwd) are included.

Commands would depend on the API client used, but a curl example to test might be:

  • curl -X POST -H "Authorization: Bearer <token>" -d '{"filePath": "../db2.sqlite"}' https://<toonflow-app>/updateStoryboardUrl
  • curl -X GET -H "Authorization: Bearer <token>" https://<toonflow-app>/exportImage -o export.zip

Extract and inspect export.zip to verify if unauthorized files are included.

Mitigation Strategies

Immediate mitigation steps include:

  • Implement a check in the exportImage endpoint to ensure that resolved file paths remain strictly inside the intended OSS directory before including them in the ZIP archive.
  • Modify the replaceUrl() function to reject any non-URL inputs by returning an empty string instead of the raw input, preventing path traversal payloads from passing through.
  • Validate and sanitize the filePath input at the time of database write, rejecting any paths containing '..' or other path traversal sequences.
  • Restrict access to the updateStoryboardUrl and exportImage endpoints to trusted users only, and monitor for suspicious activity.

These steps will help prevent arbitrary file reads and protect sensitive data from being exfiltrated.

Compliance Impact

This vulnerability allows an attacker to exfiltrate sensitive data including plaintext user passwords, JWT signing secrets, and API keys by exploiting a path traversal flaw to read arbitrary files on the server.

Such unauthorized access and exposure of sensitive personal and authentication data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could result in non-compliance with these standards due to the compromise of confidentiality and integrity of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7086. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart