CVE-2026-33354
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Summary
WWBN AVideo is an open source video platform. In versions up to and including 26.0, POST /objects/aVideoEncoder.json.php accepts a requester-controlled chunkFile parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass isValidURLOrPath(). That helper allows files under broad server directories including /var/www/, the application root, cache, tmp, and videos, only rejecting .php files. For an authenticated uploader editing their own video, this becomes an arbitrary local file read. The endpoint copies the attacker-chosen local file into the attacker's public video storage path, after which it can be downloaded over HTTP. Commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f contains a patch for the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WWBN | AVideo | <= 26.0 | affected |
Weaknesses
- CWE-73: CWE-73: External Control of File Name or Path
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/WWBN/AVideo/security/advisories/GHSA-4jw9-5hrc-m4j6
- https://github.com/WWBN/AVideo/commit/59bbd601a3f65a5b18c1d9e4eb11471c0a59214f
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.