{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7085", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-26T08:16:25.266Z", "datePublished": "2026-04-27T04:00:14.468Z", "dateUpdated": "2026-04-27T12:40:00.817Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T04:00:14.468Z"}, "title": "HBAI-Ltd Toonflow-app downloadApp Endpoint downloadApp.ts z.url path traversal", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "Path Traversal"}]}], "affected": [{"vendor": "HBAI-Ltd", "product": "Toonflow-app", "versions": [{"version": "1.1.0", "status": "affected"}, {"version": "1.1.1", "status": "affected"}], "modules": ["downloadApp Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component downloadApp Endpoint. This manipulation of the argument url causes path traversal. It is possible to initiate the attack remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized. The real existence of this vulnerability is still doubted at the moment. The vendor explains in a reply to the issue report, that \"[t]his interface is used for online updates, and the update URL has been statically compiled in the official code repository. Unless users modify the code, the requested address will be the official source address.\""}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "LOW"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.6, "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C"}}], "timeline": [{"time": "2026-04-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-26T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-26T10:21:38.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Yu Bao (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359660", "name": "VDB-359660 | HBAI-Ltd Toonflow-app downloadApp Endpoint downloadApp.ts z.url path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359660/cti", "name": "VDB-359660 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/799583", "name": "Submit #799583 | HBAI-Ltd Toonflow 1.1.1 Remote Code Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/96", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/96#issuecomment-4208193927", "tags": ["issue-tracking"]}, {"url": "https://github.com/HBAI-Ltd/Toonflow-app/", "tags": ["product"]}], "tags": ["disputed"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T12:39:48.256378Z", "id": "CVE-2026-7085", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T12:40:00.817Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7085", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T12:39:48.256378Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T12:39:54.207Z"}}], "cna": {"tags": ["disputed"], "title": "HBAI-Ltd Toonflow-app downloadApp Endpoint downloadApp.ts z.url path traversal", "credits": [{"lang": "en", "type": "reporter", "value": "Yu Bao (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.6, "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C"}}], "affected": [{"vendor": "HBAI-Ltd", "modules": ["downloadApp Endpoint"], "product": "Toonflow-app", "versions": [{"status": "affected", "version": "1.1.0"}, {"status": "affected", "version": "1.1.1"}]}], "timeline": [{"lang": "en", "time": "2026-04-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-26T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-26T10:21:38.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359660", "name": "VDB-359660 | HBAI-Ltd Toonflow-app downloadApp Endpoint downloadApp.ts z.url path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359660/cti", "name": "VDB-359660 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/799583", "name": "Submit #799583 | HBAI-Ltd Toonflow 1.1.1 Remote Code Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/96", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/96#issuecomment-4208193927", "tags": ["issue-tracking"]}, {"url": "https://github.com/HBAI-Ltd/Toonflow-app/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component downloadApp Endpoint. This manipulation of the argument url causes path traversal. It is possible to initiate the attack remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized. The real existence of this vulnerability is still doubted at the moment. The vendor explains in a reply to the issue report, that \"[t]his interface is used for online updates, and the update URL has been statically compiled in the official code repository. Unless users modify the code, the requested address will be the official source address.\""}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Path Traversal"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T04:00:14.468Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7085", "state": "PUBLISHED", "dateUpdated": "2026-04-27T12:40:00.817Z", "dateReserved": "2026-04-26T08:16:25.266Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-27T04:00:14.468Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [{"sourceIdentifier": "cna@vuldb.com", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component downloadApp Endpoint. This manipulation of the argument url causes path traversal. It is possible to initiate the attack remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized. The real existence of this vulnerability is still doubted at the moment. The vendor explains in a reply to the issue report, that \"[t]his interface is used for online updates, and the update URL has been statically compiled in the official code repository. Unless users modify the code, the requested address will be the official source address.\""}], "id": "CVE-2026-7085", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-27T04:16:10.247", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/HBAI-Ltd/Toonflow-app/"}, {"source": "cna@vuldb.com", "url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/96"}, {"source": "cna@vuldb.com", "url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/96#issuecomment-4208193927"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/799583"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359660"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359660/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.1.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.1.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Toonflow-app", "source": "cna", "vendor": "HBAI-Ltd"}, "product": "toonflow-app", "vendor": "hbai-ltd"}], "analysis": {"en": {"generated_at": "2026-04-29T02:39:53.956831+00:00", "value": {"mitigation_remediation": ["Check that the deployed Toonflow\u2011app version correlates with the vulnerable range and that no custom code modifications expose a launch URL", "Restrict the downloadApp endpoint to trusted internal networks or require authentication before allowing access", "Implement server\u2011side validation that rejects traversal patterns (e.g., \"..\") or enforces strict whitelisting of accepted update URLs"], "summary": {"action": "Verify", "impact": "Unverified Path Traversal Vulnerability"}, "threat_synthesis": {"affected_systems": "All installations of HBAI\u2011Ltd Toonflow\u2011app up to version 1.1.1 may contain the flaw described in the CVE. No newer releases have been cited in the vendor data, so the risk profile applies to any deployment within this version range until an official fix is disclosed.", "description_and_impact": "The reported flaw lies in the z.url function of the downloadApp endpoint for HBAI-Ltd Toonflow-app. The function accepts a URL argument that, if improperly handled, could resolve file system paths outside the intended directory, enabling path traversal. However, the CVE description states that the \"real existence of this vulnerability is still doubted at the moment\" and the vendor has explained that the update URL is statically compiled into the code; unless the code is modified by a user, the request will target the official source address. Accordingly, the existence and exploitable nature of the flaw remain unconfirmed, though the mechanism described suggests a potential for unauthorized file access if the conditions were met.", "risk_and_exploitability": "The CVSS score of 2.3 indicates a low overall risk, and the EPSS score of <\u202f1\u202f% points to a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. While remote exploitation is theoretically possible via the publicly exposed downloadApp endpoint, the vendor\u2019s comments and the high launch cost described in the CVE suggest that successful attacks would be difficult if they exist at all."}}}}, "created": "2026-04-27T19:51:42.654880+00:00", "updated": "2026-04-29T02:45:35.951025+00:00", "vendors": ["hbai-ltd", "hbai-ltd$PRODUCT$toonflow-app"]}