CVE-2026-26228

Name of the Vulnerable Software and Affected Versions VideoLAN VLC for Android versions prior to 3.7.0

Description The software contains a path traversal issue in the Remote Access Server routing for the authenticated endpoint ''/download''. The file query parameter is combined into a filesystem path without proper validation, potentially allowing a network-based attacker to request files outside the intended directory. The impact is limited by Android’s security features, typically restricting access to app-internal and app-specific external storage.

Recommendations Update VideoLAN VLC for Android to version 3.7.0 or later.