CVE-2026-33292
Received Received - Intake
Path Traversal in WWBN AVideo HLS Endpoint Enables Unauthorized Streaming

Publication date: 2026-03-22

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths β€” one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) β€” creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-22
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33292
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33292 is a path traversal vulnerability in the WWBN AVideo platform's HLS streaming endpoint (`view/hls.php`). It arises because the `videoDirectory` GET parameter is handled inconsistently in two parts of the code: authorization checks only consider the first segment of the path, while file access uses the full path including traversal sequences like `..`. This discrepancy allows an unauthenticated attacker to bypass authorization and stream any private or paid video by crafting a path that appears authorized but actually points to restricted content."}, {'type': 'paragraph', 'content': 'Specifically, the authorization function truncates the input at the first slash and checks permissions on that segment, while the file path construction preserves the full input, including `..` sequences, which the operating system resolves to access files outside the authorized directory. This split-oracle condition enables unauthorized streaming of protected videos.'}] [2]

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to private, unlisted, or paid videos on the AVideo platform without authentication.

  • Any unauthenticated user can stream restricted content by exploiting the path traversal.
  • Paid content can be accessed without payment, leading to monetization loss.
  • Privacy of restricted videos is compromised as unauthorized users can view them.
  • Content theft can occur at scale due to predictable video filename patterns.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access private or paid videos through the vulnerable HLS streaming endpoint using crafted requests that include path traversal sequences in the `videoDirectory` GET parameter.'}, {'type': 'paragraph', 'content': 'A practical detection method is to use curl commands to test if unauthorized video streaming is possible by exploiting the path traversal.'}, {'type': 'list_item', 'content': 'Check direct access denial to a private video: curl -s "https://target.com/view/hls.php?videoDirectory=private_video"'}, {'type': 'list_item', 'content': 'Test the path traversal exploit by requesting a public video directory with traversal to a private video: curl -s "https://target.com/view/hls.php?videoDirectory=public_video/../private_video" -H "Accept: application/vnd.apple.mpegurl"'}, {'type': 'list_item', 'content': 'Attempt to stream the private video segments using ffmpeg: ffmpeg -i "https://target.com/view/hls.php?videoDirectory=public_video/../private_video" -c copy stolen_video.mp4'}] [2]

Mitigation Strategies

Immediate mitigation involves applying input sanitization and path resolution checks to prevent path traversal attacks on the `videoDirectory` parameter.

  • Reject any `videoDirectory` input containing `..` sequences at the start of the `view/hls.php` script.
  • Normalize the `videoDirectory` parameter by replacing backslashes with forward slashes, trimming leading/trailing slashes, and collapsing multiple slashes.
  • Implement a `realpath()` verification in the `getPathToFile()` method to ensure the resolved absolute path remains within the designated videos directory.

Upgrading to version 26.0 or later of WWBN AVideo, which contains the official fix for this vulnerability, is strongly recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33292. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart