Submit #799584: HBAI-Ltd Toonflow 1.1.1 Path Traversal Leading to Arbitrary File Readinfo

TitleHBAI-Ltd Toonflow 1.1.1 Path Traversal Leading to Arbitrary File Read
DescriptionA three-step attack chain allows any authenticated user to read arbitrary files from the server via the storyboard export feature: Inject malicious filePath into the o_storyboard database table via updateStoryboardUrl — the replaceUrl() function fails to sanitize non-URL strings, returning path traversal payloads unchanged Trigger file read via exportImage — the endpoint uses path.join(getPath("oss"), item.filePath!) without isPathInside() validation, allowing the crafted filePath to escape the OSS directory Exfiltrate file contents — the file is included in the downloaded ZIP archive
Source⚠️ https://github.com/HBAI-Ltd/Toonflow-app/issues/97
User
 Yu-Bao (UID 96702)
Submission04/08/2026 11:07 (3 months ago)
Moderation04/26/2026 10:16 (18 days later)
StatusAccepted
VulDB entry359661 [HBAI-Ltd Toonflow-app up to 1.1.1 Storyboard Export replaceUrl.ts updateStoryboardUrl url path traversal]
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!