PatchSiren cyber security CVE debrief
CVE-2026-48055 truelockmc CVE debrief
Streambert 2.4.0 and prior versions contain a high-severity Zip Slip vulnerability in subtitle extraction logic, allowing path traversal and arbitrary file writes. The application fails to sanitize archive entry filenames during extraction, enabling a malicious archive to escape temporary directory boundaries and write payloads anywhere on the host filesystem with current write permissions. This issue is fixed in version 2.5.0.
- Vendor
- truelockmc
- Product
- streambert
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-17
Who should care
Users of Streambert versions 2.4.0 and prior should update to version 2.5.0 to mitigate this vulnerability. System administrators and security teams responsible for managing Electron desktop applications should prioritize this update.
Technical summary
The Streambert application, versions 2.4.0 and prior, is vulnerable to a Zip Slip attack. During subtitle extraction, the application downloads a ZIP archive and extracts its entries without sanitizing filenames. This allows a malicious ZIP archive to perform path traversal, enabling the writing of arbitrary files to the host filesystem. The vulnerability is characterized by the following: - CVSS Score: 10 - CVSS Severity: CRITICAL - CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H - CWE: CWE-20, CWE-22 The vulnerability has been addressed in Streambert version 2.5.0.
Defensive priority
High
Recommended defensive actions
- Update Streambert to version 2.5.0 or later
- Review and restrict write permissions for the application's temporary directories
- Implement additional monitoring for suspicious file system modifications by the application
- Verify the integrity of downloaded ZIP archives before extraction
- Perform a thorough review of the application's file handling and extraction logic
- Conduct a security audit to identify potential vulnerabilities in the application's codebase
- Track and verify changes to the application's temporary directories and file system interactions
Evidence notes
The CVE record was published on 2026-06-17T13:20:42.257Z and was last modified on 2026-06-17T16:26:02.190Z. The NVD entry is currently Deferred. The vulnerability was identified in Streambert versions 2.4.0 and prior. The fix is included in version 2.5.0.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:20:42.257Z and has not been modified since then. The NVD entry is currently Deferred.