CVE-2026-41419
Published: 24 April 2026
Summary
CVE-2026-41419 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents path traversal vulnerabilities by requiring validation of inputs like BOARDS archive paths during board import to block traversal sequences.
SI-2 mandates identification, reporting, and correction of flaws such as this path traversal issue through timely patching to version 3.3.5 or equivalent.
AC-6 least privilege restricts board import capabilities to only necessary users, reducing the attack surface for authenticated exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in the board import functionality directly enables reading and exfiltrating arbitrary files from the host filesystem as attachments, mapping to T1005 Data from Local System.
NVD Description
4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbitrary host files as board attachments during BOARDS archive import.…
more
Once imported, the file can be downloaded through the normal application interface, resulting in unauthorized local file disclosure. This vulnerability is fixed in 3.3.5.
Deeper analysisAI
CVE-2026-41419 is a path traversal vulnerability (CWE-22) in 4ga Boards, an open-source boards system for realtime project management. Versions prior to 3.3.5 are affected, specifically in the board import functionality for BOARDS archives. The flaw enables an authenticated user with board import privileges to manipulate the import process, causing the server to ingest arbitrary files from the host filesystem as board attachments.
An attacker with low-privilege access (PR:L) can exploit this remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving a CVSS v3.1 base score of 7.6 (High). By crafting a malicious BOARDS archive, the attacker tricks the server into reading and attaching sensitive local files. Once imported, these files become accessible for download via the standard application interface, leading to unauthorized disclosure of host filesystem contents, with high confidentiality impact (C:H) alongside low integrity (I:L) and availability (A:L) effects in an unchanged scope (S:U).
The vulnerability is addressed in 4ga Boards version 3.3.5, as detailed in the GitHub Security Advisory GHSA-rrjq-7x8g-cmgm. Security practitioners should upgrade to the patched version and review access controls for board import privileges to mitigate exposure.
Details
- CWE(s)