CVE-2026-7085

Name of the Vulnerable Software and Affected Versions HBAI-Ltd Toonflow-app versions prior to 1.1.2

Description A path traversal issue exists in the 'downloadApp' endpoint. Manipulation of the url argument within the z.url() function of the src/routes/setting/about/downloadApp.ts file allows for remote attacks. This exploit is characterized by high complexity and difficult exploitability. The vendor has noted that the interface is intended for online updates with a statically compiled URL in the official repository, meaning the issue typically requires users to have modified the code to be exploitable.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.