Cyber Resilience

CVE-2026-41419

High

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0003 10.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41419 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-41419 is a path traversal vulnerability (CWE-22) in 4ga Boards, an open-source boards system for realtime project management. Versions prior to 3.3.5 are affected, specifically in the board import functionality for BOARDS archives. The flaw enables an authenticated user with board import privileges to manipulate the import process, causing the server to ingest arbitrary files from the host filesystem as board attachments.

An attacker with low-privilege access (PR:L) can exploit this remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving a CVSS v3.1 base score of 7.6 (High). By crafting a malicious BOARDS archive, the attacker tricks the server into reading and attaching sensitive local files. Once imported, these files become accessible for download via the standard application interface, leading to unauthorized disclosure of host filesystem contents, with high confidentiality impact (C:H) alongside low integrity (I:L) and availability (A:L) effects in an unchanged scope (S:U).

The vulnerability is addressed in 4ga Boards version 3.3.5, as detailed in the GitHub Security Advisory GHSA-rrjq-7x8g-cmgm. Security practitioners should upgrade to the patched version and review access controls for board import privileges to mitigate exposure.

EU & UK References

Vulnerability details

4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbitrary host files as board attachments during BOARDS archive import.…

more

Once imported, the file can be downloaded through the normal application interface, resulting in unauthorized local file disclosure. This vulnerability is fixed in 3.3.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in the board import functionality directly enables reading and exfiltrating arbitrary files from the host filesystem as attachments, mapping to T1005 Data from Local System.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44307Shared CWE-22
CVE-2025-68921Shared CWE-22
CVE-2026-39369Shared CWE-22
CVE-2025-13801Shared CWE-22
CVE-2026-42600Shared CWE-22
CVE-2025-54794Shared CWE-22
CVE-2026-41205Shared CWE-22
CVE-2025-45691Shared CWE-22
CVE-2026-7182Shared CWE-22
CVE-2025-24605Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents path traversal vulnerabilities by requiring validation of inputs like BOARDS archive paths during board import to block traversal sequences.

prevent

SI-2 mandates identification, reporting, and correction of flaws such as this path traversal issue through timely patching to version 3.3.5 or equivalent.

prevent

AC-6 least privilege restricts board import capabilities to only necessary users, reducing the attack surface for authenticated exploitation.

References