CVE-2026-8115: short-video-maker has a path traversal vulnerability

May 8, 2026 (updated May 13, 2026)

A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the component REST API. The manipulation of the argument req.params.tmpFile results in path traversal. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

References

github.com/advisories/GHSA-935g-9rq5-q95c
github.com/gyoridavid/short-video-maker
github.com/gyoridavid/short-video-maker/issues/73
nvd.nist.gov/vuln/detail/CVE-2026-8115
vuldb.com/submit/808258
vuldb.com/vuln/361903
vuldb.com/vuln/361903/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-8115 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →