Videolan Vlc Security Vulnerabilities in 2026

In 2026 there have been 2 vulnerabilities in Videolan Vlc with an average score of 4.3 out of ten.

Year	Vulnerabilities	Average Score
2026	2	4.30

It may take a day or so for new Vlc vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Videolan Vlc Security Vulnerabilities

VLC-Android <3.7.0: OTP Auth Bypass via Ratelimit Failure
CVE-2026-26227 3.7 - Low - February 26, 2026

VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user.

Improper Restriction of Excessive Authentication Attempts

VideoLAN VLC Android <3.7.0 path traversal via Remote Access GET /download
CVE-2026-26228 4.9 - Medium - February 26, 2026

VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalization or directory containment checks, allowing an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory. The impact is bounded by the Android application sandbox and storage restrictions, typically limiting exposure to app-internal and app-specific external storage.

Directory traversal

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Videolan Vlc or by Videolan? Click the Watch button to subscribe.

Videolan
Vendor

Videolan Vlc
Product

Videolan Vlc

Don't miss out!

By the Year

Recent Videolan Vlc Security Vulnerabilities

VLC-Android <3.7.0: OTP Auth Bypass via Ratelimit Failure
CVE-2026-26227 3.7 - Low - February 26, 2026

VideoLAN VLC Android <3.7.0 path traversal via Remote Access GET /download
CVE-2026-26228 4.9 - Medium - February 26, 2026

Stay on top of Security Vulnerabilities

Videolan
Vendor

Videolan Vlc
Product

Videolan Vlc

Don't miss out!

By the Year

Recent Videolan Vlc Security Vulnerabilities

VLC-Android <3.7.0: OTP Auth Bypass via Ratelimit Failure CVE-2026-26227 3.7 - Low - February 26, 2026

VideoLAN VLC Android <3.7.0 path traversal via Remote Access GET /download CVE-2026-26228 4.9 - Medium - February 26, 2026

Stay on top of Security Vulnerabilities

Videolan Vendor

Videolan VlcProduct

VLC-Android <3.7.0: OTP Auth Bypass via Ratelimit Failure
CVE-2026-26227 3.7 - Low - February 26, 2026

VideoLAN VLC Android <3.7.0 path traversal via Remote Access GET /download
CVE-2026-26228 4.9 - Medium - February 26, 2026

Videolan
Vendor

Videolan Vlc
Product