CVE-2026-48055: CWE-20: Improper Input Validation in truelockmc streambert
Streambert, a cross-platform Electron desktop app for streaming and downloading video media, contains a critical Zip Slip vulnerability in versions prior to 2.5.0. The vulnerability arises from improper input validation in the subtitle extraction logic, where archive entry filenames are not sanitized during ZIP extraction. This allows a malicious ZIP archive to perform path traversal and write arbitrary files to the host filesystem. The issue has been fixed in version 2.5.0.
AI Analysis
Technical Summary
CVE-2026-48055 describes a critical Zip Slip vulnerability in Streambert versions before 2.5.0. The vulnerability is due to improper input validation (CWE-20) and path traversal (CWE-22) in the subtitle extraction process. When extracting ZIP archives, the application concatenates raw archive entry names directly to a temporary directory path without sanitization. Malicious ZIP archives containing directory traversal sequences can escape the intended extraction directory and write files anywhere on the host filesystem, limited only by the application's write permissions. This can lead to arbitrary file overwrite and potentially compromise system integrity. The vulnerability has been resolved in Streambert version 2.5.0.
Potential Impact
An attacker can craft a malicious ZIP archive that, when processed by vulnerable Streambert versions (<2.5.0), can write arbitrary files to arbitrary locations on the host filesystem. This can lead to arbitrary code execution, system compromise, or denial of service depending on what files are overwritten. The CVSS v3.1 score is 10.0 (critical), reflecting network attack vector, no required privileges or user interaction, and high impact on integrity and availability.
Mitigation Recommendations
Users should upgrade Streambert to version 2.5.0 or later, where this vulnerability has been fixed. No other mitigations are specified or required once the update is applied. Patch status is confirmed fixed in 2.5.0.
CVE-2026-48055: CWE-20: Improper Input Validation in truelockmc streambert
Description
Streambert, a cross-platform Electron desktop app for streaming and downloading video media, contains a critical Zip Slip vulnerability in versions prior to 2.5.0. The vulnerability arises from improper input validation in the subtitle extraction logic, where archive entry filenames are not sanitized during ZIP extraction. This allows a malicious ZIP archive to perform path traversal and write arbitrary files to the host filesystem. The issue has been fixed in version 2.5.0.
CVSS v3.1
Score 10.0critical
Affected software
pkg:github/truelockmc/streambertRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-48055 describes a critical Zip Slip vulnerability in Streambert versions before 2.5.0. The vulnerability is due to improper input validation (CWE-20) and path traversal (CWE-22) in the subtitle extraction process. When extracting ZIP archives, the application concatenates raw archive entry names directly to a temporary directory path without sanitization. Malicious ZIP archives containing directory traversal sequences can escape the intended extraction directory and write files anywhere on the host filesystem, limited only by the application's write permissions. This can lead to arbitrary file overwrite and potentially compromise system integrity. The vulnerability has been resolved in Streambert version 2.5.0.
Potential Impact
An attacker can craft a malicious ZIP archive that, when processed by vulnerable Streambert versions (<2.5.0), can write arbitrary files to arbitrary locations on the host filesystem. This can lead to arbitrary code execution, system compromise, or denial of service depending on what files are overwritten. The CVSS v3.1 score is 10.0 (critical), reflecting network attack vector, no required privileges or user interaction, and high impact on integrity and availability.
Mitigation Recommendations
Users should upgrade Streambert to version 2.5.0 or later, where this vulnerability has been fixed. No other mitigations are specified or required once the update is applied. Patch status is confirmed fixed in 2.5.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-20T18:15:53.579Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a31c7a50b89be6888375e3a
Added to database: 6/16/2026, 10:01:09 PM
Last enriched: 6/16/2026, 10:15:50 PM
Last updated: 6/17/2026, 4:19:15 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.