Search criteria
6 vulnerabilities found for Toonflow-app by HBAI-Ltd
CVE-2026-7086 (GCVE-0-2026-7086)
Vulnerability from nvd – Published: 2026-04-27 04:15 – Updated: 2026-04-27 11:22 Disputed
VLAI
Title
HBAI-Ltd Toonflow-app Storyboard Export replaceUrl.ts updateStoryboardUrl path traversal
Summary
A vulnerability was identified in HBAI-Ltd Toonflow-app up to 1.1.1. This issue affects the function updateStoryboardUrl of the file replaceUrl.ts of the component Storyboard Export. Such manipulation of the argument url leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is still unclear if this vulnerability genuinely exists. The vendor explains in a reply to the issue report, that "[t]he URL of this interface is designed to only be a local address or a trusted domain address configured in docker, and will not contain malicious links, unless the user modifies the code causing unexpected situations."
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Path Traversal
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359661 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359661/cti | signaturepermissions-required |
| https://vuldb.com/submit/799584 | third-party-advisory |
| https://github.com/HBAI-Ltd/Toonflow-app/issues/97 | exploitissue-tracking |
| https://github.com/HBAI-Ltd/Toonflow-app/issues/9… | issue-tracking |
| https://github.com/HBAI-Ltd/Toonflow-app/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HBAI-Ltd | Toonflow-app |
Affected:
1.1.0
Affected: 1.1.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7086",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T11:13:46.841795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T11:22:34.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Storyboard Export"
],
"product": "Toonflow-app",
"vendor": "HBAI-Ltd",
"versions": [
{
"status": "affected",
"version": "1.1.0"
},
{
"status": "affected",
"version": "1.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yu-Bao (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in HBAI-Ltd Toonflow-app up to 1.1.1. This issue affects the function updateStoryboardUrl of the file replaceUrl.ts of the component Storyboard Export. Such manipulation of the argument url leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is still unclear if this vulnerability genuinely exists. The vendor explains in a reply to the issue report, that \"[t]he URL of this interface is designed to only be a local address or a trusted domain address configured in docker, and will not contain malicious links, unless the user modifies the code causing unexpected situations.\""
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T04:15:12.103Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359661 | HBAI-Ltd Toonflow-app Storyboard Export replaceUrl.ts updateStoryboardUrl path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359661"
},
{
"name": "VDB-359661 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359661/cti"
},
{
"name": "Submit #799584 | HBAI-Ltd Toonflow 1.1.1 Path Traversal Leading to Arbitrary File Read",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/799584"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/97"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/97#issuecomment-4208207717"
},
{
"tags": [
"product"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/"
}
],
"tags": [
"disputed"
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-26T10:21:42.000Z",
"value": "VulDB entry last update"
}
],
"title": "HBAI-Ltd Toonflow-app Storyboard Export replaceUrl.ts updateStoryboardUrl path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7086",
"datePublished": "2026-04-27T04:15:12.103Z",
"dateReserved": "2026-04-26T08:16:28.410Z",
"dateUpdated": "2026-04-27T11:22:34.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7085 (GCVE-0-2026-7085)
Vulnerability from nvd – Published: 2026-04-27 04:00 – Updated: 2026-04-27 12:40 Disputed
VLAI
Title
HBAI-Ltd Toonflow-app downloadApp Endpoint downloadApp.ts z.url path traversal
Summary
A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component downloadApp Endpoint. This manipulation of the argument url causes path traversal. It is possible to initiate the attack remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized. The real existence of this vulnerability is still doubted at the moment. The vendor explains in a reply to the issue report, that "[t]his interface is used for online updates, and the update URL has been statically compiled in the official code repository. Unless users modify the code, the requested address will be the official source address."
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Path Traversal
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359660 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359660/cti | signaturepermissions-required |
| https://vuldb.com/submit/799583 | third-party-advisory |
| https://github.com/HBAI-Ltd/Toonflow-app/issues/96 | exploitissue-tracking |
| https://github.com/HBAI-Ltd/Toonflow-app/issues/9… | issue-tracking |
| https://github.com/HBAI-Ltd/Toonflow-app/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HBAI-Ltd | Toonflow-app |
Affected:
1.1.0
Affected: 1.1.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7085",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T12:39:48.256378Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T12:40:00.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"downloadApp Endpoint"
],
"product": "Toonflow-app",
"vendor": "HBAI-Ltd",
"versions": [
{
"status": "affected",
"version": "1.1.0"
},
{
"status": "affected",
"version": "1.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yu Bao (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component downloadApp Endpoint. This manipulation of the argument url causes path traversal. It is possible to initiate the attack remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized. The real existence of this vulnerability is still doubted at the moment. The vendor explains in a reply to the issue report, that \"[t]his interface is used for online updates, and the update URL has been statically compiled in the official code repository. Unless users modify the code, the requested address will be the official source address.\""
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.6,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T04:00:14.468Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359660 | HBAI-Ltd Toonflow-app downloadApp Endpoint downloadApp.ts z.url path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359660"
},
{
"name": "VDB-359660 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359660/cti"
},
{
"name": "Submit #799583 | HBAI-Ltd Toonflow 1.1.1 Remote Code Execution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/799583"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/96"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/96#issuecomment-4208193927"
},
{
"tags": [
"product"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/"
}
],
"tags": [
"disputed"
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-26T10:21:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "HBAI-Ltd Toonflow-app downloadApp Endpoint downloadApp.ts z.url path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7085",
"datePublished": "2026-04-27T04:00:14.468Z",
"dateReserved": "2026-04-26T08:16:25.266Z",
"dateUpdated": "2026-04-27T12:40:00.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7084 (GCVE-0-2026-7084)
Vulnerability from nvd – Published: 2026-04-27 03:45 – Updated: 2026-04-27 13:29 Disputed
VLAI
Title
HBAI-Ltd Toonflow-app getCodeByLink Endpoint getCodeByLink.ts fetch server-side request forgery
Summary
A vulnerability was found in HBAI-Ltd Toonflow-app up to 1.1.1. This affects the function fetch of the file src/routes/setting/vendorConfig/getCodeByLink.ts of the component getCodeByLink Endpoint. The manipulation of the argument Link results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. There is ongoing doubt regarding the real existence of this vulnerability. The vendor explains in a reply to the issue report, that "[t]he /getCodeByLink interface is used to obtain TS code and run it locally. It is inherently a high-risk interface, and users must clearly understand the risks before requesting to use it."
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359659 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359659/cti | signaturepermissions-required |
| https://vuldb.com/submit/799582 | third-party-advisory |
| https://github.com/HBAI-Ltd/Toonflow-app/issues/95 | exploitissue-tracking |
| https://github.com/HBAI-Ltd/Toonflow-app/issues/9… | issue-tracking |
| https://github.com/HBAI-Ltd/Toonflow-app/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HBAI-Ltd | Toonflow-app |
Affected:
1.1.0
Affected: 1.1.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7084",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T13:09:33.463138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:29:56.216Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"getCodeByLink Endpoint"
],
"product": "Toonflow-app",
"vendor": "HBAI-Ltd",
"versions": [
{
"status": "affected",
"version": "1.1.0"
},
{
"status": "affected",
"version": "1.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yu Bao (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in HBAI-Ltd Toonflow-app up to 1.1.1. This affects the function fetch of the file src/routes/setting/vendorConfig/getCodeByLink.ts of the component getCodeByLink Endpoint. The manipulation of the argument Link results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. There is ongoing doubt regarding the real existence of this vulnerability. The vendor explains in a reply to the issue report, that \"[t]he /getCodeByLink interface is used to obtain TS code and run it locally. It is inherently a high-risk interface, and users must clearly understand the risks before requesting to use it.\""
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T03:45:11.797Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359659 | HBAI-Ltd Toonflow-app getCodeByLink Endpoint getCodeByLink.ts fetch server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359659"
},
{
"name": "VDB-359659 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359659/cti"
},
{
"name": "Submit #799582 | HBAI-Ltd Toonflow 1.1.1 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/799582"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/95"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/95#issuecomment-4208181221"
},
{
"tags": [
"product"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/"
}
],
"tags": [
"disputed"
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-26T10:21:34.000Z",
"value": "VulDB entry last update"
}
],
"title": "HBAI-Ltd Toonflow-app getCodeByLink Endpoint getCodeByLink.ts fetch server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7084",
"datePublished": "2026-04-27T03:45:11.797Z",
"dateReserved": "2026-04-26T08:16:21.874Z",
"dateUpdated": "2026-04-27T13:29:56.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7086 (GCVE-0-2026-7086)
Vulnerability from cvelistv5 – Published: 2026-04-27 04:15 – Updated: 2026-04-27 11:22 Disputed
VLAI
Title
HBAI-Ltd Toonflow-app Storyboard Export replaceUrl.ts updateStoryboardUrl path traversal
Summary
A vulnerability was identified in HBAI-Ltd Toonflow-app up to 1.1.1. This issue affects the function updateStoryboardUrl of the file replaceUrl.ts of the component Storyboard Export. Such manipulation of the argument url leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is still unclear if this vulnerability genuinely exists. The vendor explains in a reply to the issue report, that "[t]he URL of this interface is designed to only be a local address or a trusted domain address configured in docker, and will not contain malicious links, unless the user modifies the code causing unexpected situations."
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Path Traversal
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359661 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359661/cti | signaturepermissions-required |
| https://vuldb.com/submit/799584 | third-party-advisory |
| https://github.com/HBAI-Ltd/Toonflow-app/issues/97 | exploitissue-tracking |
| https://github.com/HBAI-Ltd/Toonflow-app/issues/9… | issue-tracking |
| https://github.com/HBAI-Ltd/Toonflow-app/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HBAI-Ltd | Toonflow-app |
Affected:
1.1.0
Affected: 1.1.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7086",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T11:13:46.841795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T11:22:34.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Storyboard Export"
],
"product": "Toonflow-app",
"vendor": "HBAI-Ltd",
"versions": [
{
"status": "affected",
"version": "1.1.0"
},
{
"status": "affected",
"version": "1.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yu-Bao (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in HBAI-Ltd Toonflow-app up to 1.1.1. This issue affects the function updateStoryboardUrl of the file replaceUrl.ts of the component Storyboard Export. Such manipulation of the argument url leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is still unclear if this vulnerability genuinely exists. The vendor explains in a reply to the issue report, that \"[t]he URL of this interface is designed to only be a local address or a trusted domain address configured in docker, and will not contain malicious links, unless the user modifies the code causing unexpected situations.\""
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T04:15:12.103Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359661 | HBAI-Ltd Toonflow-app Storyboard Export replaceUrl.ts updateStoryboardUrl path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359661"
},
{
"name": "VDB-359661 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359661/cti"
},
{
"name": "Submit #799584 | HBAI-Ltd Toonflow 1.1.1 Path Traversal Leading to Arbitrary File Read",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/799584"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/97"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/97#issuecomment-4208207717"
},
{
"tags": [
"product"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/"
}
],
"tags": [
"disputed"
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-26T10:21:42.000Z",
"value": "VulDB entry last update"
}
],
"title": "HBAI-Ltd Toonflow-app Storyboard Export replaceUrl.ts updateStoryboardUrl path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7086",
"datePublished": "2026-04-27T04:15:12.103Z",
"dateReserved": "2026-04-26T08:16:28.410Z",
"dateUpdated": "2026-04-27T11:22:34.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7085 (GCVE-0-2026-7085)
Vulnerability from cvelistv5 – Published: 2026-04-27 04:00 – Updated: 2026-04-27 12:40 Disputed
VLAI
Title
HBAI-Ltd Toonflow-app downloadApp Endpoint downloadApp.ts z.url path traversal
Summary
A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component downloadApp Endpoint. This manipulation of the argument url causes path traversal. It is possible to initiate the attack remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized. The real existence of this vulnerability is still doubted at the moment. The vendor explains in a reply to the issue report, that "[t]his interface is used for online updates, and the update URL has been statically compiled in the official code repository. Unless users modify the code, the requested address will be the official source address."
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Path Traversal
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359660 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359660/cti | signaturepermissions-required |
| https://vuldb.com/submit/799583 | third-party-advisory |
| https://github.com/HBAI-Ltd/Toonflow-app/issues/96 | exploitissue-tracking |
| https://github.com/HBAI-Ltd/Toonflow-app/issues/9… | issue-tracking |
| https://github.com/HBAI-Ltd/Toonflow-app/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HBAI-Ltd | Toonflow-app |
Affected:
1.1.0
Affected: 1.1.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7085",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T12:39:48.256378Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T12:40:00.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"downloadApp Endpoint"
],
"product": "Toonflow-app",
"vendor": "HBAI-Ltd",
"versions": [
{
"status": "affected",
"version": "1.1.0"
},
{
"status": "affected",
"version": "1.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yu Bao (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component downloadApp Endpoint. This manipulation of the argument url causes path traversal. It is possible to initiate the attack remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized. The real existence of this vulnerability is still doubted at the moment. The vendor explains in a reply to the issue report, that \"[t]his interface is used for online updates, and the update URL has been statically compiled in the official code repository. Unless users modify the code, the requested address will be the official source address.\""
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.6,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T04:00:14.468Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359660 | HBAI-Ltd Toonflow-app downloadApp Endpoint downloadApp.ts z.url path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359660"
},
{
"name": "VDB-359660 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359660/cti"
},
{
"name": "Submit #799583 | HBAI-Ltd Toonflow 1.1.1 Remote Code Execution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/799583"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/96"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/96#issuecomment-4208193927"
},
{
"tags": [
"product"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/"
}
],
"tags": [
"disputed"
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-26T10:21:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "HBAI-Ltd Toonflow-app downloadApp Endpoint downloadApp.ts z.url path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7085",
"datePublished": "2026-04-27T04:00:14.468Z",
"dateReserved": "2026-04-26T08:16:25.266Z",
"dateUpdated": "2026-04-27T12:40:00.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7084 (GCVE-0-2026-7084)
Vulnerability from cvelistv5 – Published: 2026-04-27 03:45 – Updated: 2026-04-27 13:29 Disputed
VLAI
Title
HBAI-Ltd Toonflow-app getCodeByLink Endpoint getCodeByLink.ts fetch server-side request forgery
Summary
A vulnerability was found in HBAI-Ltd Toonflow-app up to 1.1.1. This affects the function fetch of the file src/routes/setting/vendorConfig/getCodeByLink.ts of the component getCodeByLink Endpoint. The manipulation of the argument Link results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. There is ongoing doubt regarding the real existence of this vulnerability. The vendor explains in a reply to the issue report, that "[t]he /getCodeByLink interface is used to obtain TS code and run it locally. It is inherently a high-risk interface, and users must clearly understand the risks before requesting to use it."
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359659 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359659/cti | signaturepermissions-required |
| https://vuldb.com/submit/799582 | third-party-advisory |
| https://github.com/HBAI-Ltd/Toonflow-app/issues/95 | exploitissue-tracking |
| https://github.com/HBAI-Ltd/Toonflow-app/issues/9… | issue-tracking |
| https://github.com/HBAI-Ltd/Toonflow-app/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HBAI-Ltd | Toonflow-app |
Affected:
1.1.0
Affected: 1.1.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7084",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T13:09:33.463138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:29:56.216Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"getCodeByLink Endpoint"
],
"product": "Toonflow-app",
"vendor": "HBAI-Ltd",
"versions": [
{
"status": "affected",
"version": "1.1.0"
},
{
"status": "affected",
"version": "1.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yu Bao (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in HBAI-Ltd Toonflow-app up to 1.1.1. This affects the function fetch of the file src/routes/setting/vendorConfig/getCodeByLink.ts of the component getCodeByLink Endpoint. The manipulation of the argument Link results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. There is ongoing doubt regarding the real existence of this vulnerability. The vendor explains in a reply to the issue report, that \"[t]he /getCodeByLink interface is used to obtain TS code and run it locally. It is inherently a high-risk interface, and users must clearly understand the risks before requesting to use it.\""
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T03:45:11.797Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359659 | HBAI-Ltd Toonflow-app getCodeByLink Endpoint getCodeByLink.ts fetch server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359659"
},
{
"name": "VDB-359659 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359659/cti"
},
{
"name": "Submit #799582 | HBAI-Ltd Toonflow 1.1.1 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/799582"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/95"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/issues/95#issuecomment-4208181221"
},
{
"tags": [
"product"
],
"url": "https://github.com/HBAI-Ltd/Toonflow-app/"
}
],
"tags": [
"disputed"
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-26T10:21:34.000Z",
"value": "VulDB entry last update"
}
],
"title": "HBAI-Ltd Toonflow-app getCodeByLink Endpoint getCodeByLink.ts fetch server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7084",
"datePublished": "2026-04-27T03:45:11.797Z",
"dateReserved": "2026-04-26T08:16:21.874Z",
"dateUpdated": "2026-04-27T13:29:56.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}