{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41419", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T15:32:33.813Z", "datePublished": "2026-04-24T18:50:44.763Z", "dateUpdated": "2026-04-27T13:35:11.635Z"}, "containers": {"cna": {"title": "4ga Boards: Import Path Traversal Leads to Arbitrary File Read", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/RARgames/4gaBoards/security/advisories/GHSA-rrjq-7x8g-cmgm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/RARgames/4gaBoards/security/advisories/GHSA-rrjq-7x8g-cmgm"}], "affected": [{"vendor": "RARgames", "product": "4gaBoards", "versions": [{"version": "< 3.3.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T18:50:44.763Z"}, "descriptions": [{"lang": "en", "value": "4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbitrary host files as board attachments during BOARDS archive import. Once imported, the file can be downloaded through the normal application interface, resulting in unauthorized local file disclosure. This vulnerability is fixed in 3.3.5."}], "source": {"advisory": "GHSA-rrjq-7x8g-cmgm", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/RARgames/4gaBoards/security/advisories/GHSA-rrjq-7x8g-cmgm", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:09:13.344487Z", "id": "CVE-2026-41419", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:35:11.635Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41419", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:09:13.344487Z"}}}], "references": [{"url": "https://github.com/RARgames/4gaBoards/security/advisories/GHSA-rrjq-7x8g-cmgm", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:09:14.509Z"}}], "cna": {"title": "4ga Boards: Import Path Traversal Leads to Arbitrary File Read", "source": {"advisory": "GHSA-rrjq-7x8g-cmgm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "RARgames", "product": "4gaBoards", "versions": [{"status": "affected", "version": "< 3.3.5"}]}], "references": [{"url": "https://github.com/RARgames/4gaBoards/security/advisories/GHSA-rrjq-7x8g-cmgm", "name": "https://github.com/RARgames/4gaBoards/security/advisories/GHSA-rrjq-7x8g-cmgm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbitrary host files as board attachments during BOARDS archive import. Once imported, the file can be downloaded through the normal application interface, resulting in unauthorized local file disclosure. This vulnerability is fixed in 3.3.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T18:50:44.763Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41419", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:35:11.635Z", "dateReserved": "2026-04-20T15:32:33.813Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T18:50:44.763Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbitrary host files as board attachments during BOARDS archive import. Once imported, the file can be downloaded through the normal application interface, resulting in unauthorized local file disclosure. This vulnerability is fixed in 3.3.5."}], "id": "CVE-2026-41419", "lastModified": "2026-04-27T19:10:45.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T19:17:13.603", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/RARgames/4gaBoards/security/advisories/GHSA-rrjq-7x8g-cmgm"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/RARgames/4gaBoards/security/advisories/GHSA-rrjq-7x8g-cmgm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "4gaBoards", "source": "cna", "vendor": "RARgames"}, "product": "4gaboards", "vendor": "rargames"}], "analysis": {"en": {"generated_at": "2026-04-28T05:52:38.517447+00:00", "value": {"mitigation_remediation": ["Apply the 4gaBoards 3.3.5 or later update", "Restrict board import privileges to only accounts that require them", "Audit existing board imports for sensitive content and remove any that should not be exposed"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Local File Disclosure"}, "threat_synthesis": {"affected_systems": "RAGames 4gaBoards versions earlier than 3.3.5 are affected. The vulnerability exists in the import routine of the board archive feature; no other versions or vendors are currently listed as impacted.", "description_and_impact": "A path\u2011traversal flaw in 4gaBoards allows an authenticated user with board import privileges to instruct the server to ingest arbitrary files from the host system during a board archive import. Once the file is imported as an attachment, it becomes downloadable through the standard application interface, resulting in unauthorized disclosure of sensitive local files. The vulnerability is limited to accounts that have permission to import boards, and it does not provide remote code execution or elevation beyond that access.", "risk_and_exploitability": "The CVSS score is 7.6, indicating a high severity of confidentiality impact. The EPSS score is below 1%, implying a low likelihood of exploitation. This vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user with board\u2011import privileges; once such a user practices a traversal attack, they can read any accessible file on the host and then retrieve it via the normal download mechanism."}}}}, "created": "2026-04-27T20:20:39.070981+00:00", "updated": "2026-04-28T06:00:09.602811+00:00", "vendors": ["rargames", "rargames$PRODUCT$4gaboards"]}