CVE-2026-33238
Received Received - Intake
Path Traversal in WWBN AVideo Allows Server File Enumeration

Publication date: 2026-03-21

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server β€” including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33238
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33238 is a path traversal vulnerability in the WWBN AVideo platform affecting the listFiles.json.php endpoint. This endpoint accepts a POST parameter named 'path' and passes it directly to the PHP glob() function without validating or restricting it to a designated base directory."}, {'type': 'paragraph', 'content': 'An authenticated user with upload permissions (a low-privilege role) can supply arbitrary absolute paths to enumerate .mp4 files anywhere on the server filesystem, including directories outside the intended video upload directory.'}, {'type': 'paragraph', 'content': 'This allows the attacker to discover private or premium media files and reveals the full absolute filesystem paths, exposing sensitive directory structure information that could facilitate further attacks.'}] [1]

Impact Analysis

This vulnerability allows an authenticated uploader to traverse the entire server filesystem and enumerate .mp4 files outside the intended directories.

  • Unauthorized disclosure of private or premium media files stored outside the web root.
  • Exposure of full absolute filesystem paths, revealing sensitive server directory structure.
  • Potential facilitation of further attacks due to leaked directory information.
  • Increased risk because the vulnerability requires only low privileges (canUpload), which are commonly granted to many users.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to enumerate .mp4 files outside the intended upload directory using the vulnerable endpoint. Specifically, an authenticated user with upload permissions can send POST requests to the listFiles.json.php endpoint with the `path` parameter set to various directories to check if the server returns file listings outside the allowed base directory.

  • Authenticate as a user with `canUpload` permission.
  • Send a POST request to the endpoint with `path` set to the intended videos directory, for example: `path=/var/www/html/videos/`.
  • Send a POST request with `path` set to directories outside the web root, such as `path=/var/private/premium-content/` or `path=/` to attempt to enumerate .mp4 files anywhere on the server.

If the server responds with JSON containing full absolute paths of .mp4 files outside the allowed directory, the vulnerability is present.

Mitigation Strategies

To mitigate this vulnerability immediately, you should apply the patch that restricts file enumeration to an allowed base directory by validating and normalizing the user-supplied path before passing it to the glob() function.

  • Use `realpath()` to resolve the absolute path of the user-supplied `path` parameter.
  • Define an allowed base directory (e.g., the videos directory) and ensure the resolved path starts with this base path.
  • If the path is invalid or outside the allowed base directory, respond with HTTP 403 Forbidden and an error message, then exit.

This approach prevents directory traversal by ensuring file listings are confined to the intended directory.

If you are using the WWBN AVideo platform, upgrade to version 26.0 or later where this fix is implemented.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33238. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart