CVE-2026-33293
8.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Summary
WWBN AVideo is an open source video platform. Prior to version 26.0, the deleteDump parameter in plugin/CloneSite/cloneServer.json.php is passed directly to unlink() without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., ../../) to delete arbitrary files on the server, including critical application files such as configuration.php, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WWBN | AVideo | < 26.0 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226
- https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.