Critical Zip Slip in Streambert Lets Remote Attackers Write Arbitrary Files
Streambert fixed a critical arbitrary file write flaw in version 2.5.0 after maintainers disclosed multiple security issues, including GHSA-3q2x-3q9p-qwfc. The vulnerability affects Streambert 2.4.0 and earlier, where subtitle extraction in src/ipc/subtitles.js concatenates ZIP entry names into a temporary path without sanitization, allowing path traversal during archive extraction. The issue was reported by jeremyHOT and fixed with the 2.5.0 release.
The flaw, tracked as CVE-2026-48055, allows a malicious subtitle ZIP archive delivered through Streambert’s subtitle download workflow to escape the intended temporary directory and write files anywhere permitted by the application’s privileges. The advisory links exploitation to the get-subtitle-url IPC channel and recommends sanitizing extracted filenames, while public vulnerability records rate the bug CVSS 10.0 and describe it as remotely exploitable. Users are advised to upgrade to Streambert 2.5.0 immediately.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-48055 published for Streambert Zip Slip vulnerability
On 2026-06-16, CVE-2026-48055 was published for the Streambert arbitrary file write vulnerability in subtitle extraction. The entry rates the issue critical with a CVSS 3.1 score of 10.0 and identifies Streambert 2.5.0 as the fixed version.
GitHub advisory discloses Zip Slip flaw in Streambert
On 2026-05-22, a GitHub security advisory disclosed a high-severity arbitrary file write (Zip Slip) vulnerability in Streambert affecting versions up to 2.4.0. The advisory says the issue was patched in version 2.5.0 and includes technical details and a proof of concept involving malicious subtitle ZIP archives.
Streambert 2.5.0 released with fixes for three critical vulnerabilities
On 2026-05-22, truelockmc released Streambert version 2.5.0. The release notes state that it fixes three critical vulnerabilities, including GHSA-3q2x-3q9p-qwfc, with fixes credited to jeremyHOT and truelockmc.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-48055 - Streambert: Arbitrary File Write (Zip Slip) via Subtitle Extraction
cvefeed.io
Open sourceRelease v.2.5.0 · truelockmc/streambert · GitHub
github.com
Open sourceArbitrary File Write (Zip Slip) via Subtitle Extraction · Advisory · truelockmc/streambert · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Remote Code Execution Vulnerabilities in 7-Zip via Malicious ZIP Archives
Two high-severity vulnerabilities in the widely used open-source compression utility 7-Zip have been disclosed, allowing attackers to achieve remote code execution by leveraging specially crafted ZIP archives. The flaws, identified as CVE-2025-11001 and CVE-2025-11002, were reported by Trend Micro’s Zero Day Initiative and affect multiple builds of 7-Zip. These vulnerabilities arise from improper parsing of symbolic links within ZIP files, enabling a malicious archive to escape its intended extraction directory and write files to arbitrary locations on the victim’s system. If exploited, this directory traversal can be chained to execute arbitrary code with the privileges of the user running 7-Zip, potentially compromising the entire Windows environment. Both vulnerabilities have been assigned a CVSS base score of 7.0, reflecting their significant risk. Exploitation requires minimal user interaction; simply opening or extracting a malicious ZIP file is sufficient to trigger the attack. The vulnerabilities were quietly patched in 7-Zip version 25.00, released on July 5, 2025, but details were not publicly disclosed until October, leaving users unaware and exposed for several months if they had not updated. The lack of an automatic update mechanism in 7-Zip exacerbates the risk, as many users may not be running the latest, patched version. The vulnerabilities specifically allow attackers to overwrite or plant payloads in sensitive system paths, which can be used to hijack execution flow and escalate privileges. Security advisories emphasize the importance of updating to version 25.00 or later to mitigate these risks. The flaws highlight the ongoing challenges in securing widely deployed open-source tools, especially those lacking robust update mechanisms. Organizations relying on 7-Zip for file compression and extraction should prioritize patching and consider additional controls to limit the impact of potential exploitation. The vulnerabilities underscore the need for user awareness regarding the risks of opening files from untrusted sources. Security researchers warn that similar directory traversal and symlink handling issues may exist in other archiving tools, warranting broader scrutiny. The incident demonstrates the value of coordinated vulnerability disclosure and timely patch adoption. Enterprises are advised to audit their environments for outdated 7-Zip installations and deploy the latest version as a matter of urgency. The disclosure also serves as a reminder for software maintainers to implement secure default behaviors and consider automated update features to protect end users.
Mar 21, 2026
Critical 7-Zip NTFS Handler Flaw Enables Code Execution via Crafted Archives
Researchers disclosed **CVE-2026-48095**, a critical heap buffer overflow in 7-Zip affecting version `26.00` and earlier that can lead to application crashes, denial of service, or arbitrary code execution. The bug, reported by Jaroslav Lobačevski of GitHub Security Lab and tracked in advisory `GHSL-2026-140`, resides in the NTFS archive handler’s `CInStream::GetCuSize()` logic, where an under-allocation can shrink a buffer to 1 byte before a later operation writes up to 256 MB of attacker-controlled data into it. The resulting heap corruption can overwrite adjacent objects, including a stream object’s **vtable** pointer, creating a path to code execution. The vulnerability can be triggered simply by opening a specially crafted file because 7-Zip uses signature-based fallback detection and may route files disguised as `.7z`, `.zip`, or `.rar` into the vulnerable NTFS parser regardless of extension. Reports say both 32-bit and 64-bit builds are affected, with 64-bit systems that have sufficient memory more likely to reach reliable code execution, while lower-memory systems may instead crash. Public disclosure included technical details and a Python proof-of-concept generator, raising the risk of weaponization; the issue carries a **CVSS 3.1 score of 8.8**, and users are being urged to update 7-Zip and avoid opening untrusted archives.
May 28, 2026
Unauthenticated OS Command Injection in AVideo via `base64Url` Parameter
A critical, **zero-click unauthenticated OS command injection** vulnerability was disclosed in the open-source video hosting/streaming platform **AVideo**, tracked as **CVE-2026-29058**. The flaw affects versions **prior to 7.0** (including **6.0**) and allows remote attackers to execute arbitrary operating system commands on the server without user interaction or prior privileges, creating a path to **full server compromise**, **data exfiltration** (e.g., configuration secrets, internal keys, credentials), and **service disruption**. The issue stems from `objects/getImage.php`, where attacker-controlled input in the `base64Url` GET parameter is Base64-decoded and incorporated into a double-quoted `ffmpeg` shell command without proper escaping/neutralization of shell metacharacters and command substitution (CWE-78). The vulnerability was reported by security researcher **Arkmarta**, and remediation is available by upgrading to **AVideo 7.0 or later**, which includes the official patch.
Mar 21, 2026