CVE-2026-33293
Received Received - Intake
Path Traversal in WWBN AVideo CloneSite Plugin Enables Arbitrary File Deletion

Publication date: 2026-03-22

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-22
Last Modified
2026-03-24
Generated
2026-05-27
AI Q&A
2026-03-22
EPSS Evaluated
2026-05-25
NVD
CVE-2026-33293
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33293 is a vulnerability in the WWBN AVideo open source video platform affecting versions prior to 26.0. It arises because the `deleteDump` parameter in the `plugin/CloneSite/cloneServer.json.php` script is passed directly to the PHP `unlink()` function without any path sanitization or validation.

An attacker with valid clone credentials can exploit this by using path traversal sequences (like `../../`) in the `deleteDump` parameter to delete arbitrary files on the server. This includes critical files such as `configuration.php`, which can cause the entire application to fail or enable further attacks by removing security-critical files.

The vulnerability exists because the application concatenates the user-supplied `deleteDump` value directly to the clones directory path without normalization or sanitization, allowing escape from the intended directory.


How can this vulnerability impact me? :

This vulnerability can have severe impacts including:

  • Arbitrary file deletion: An attacker can delete any file accessible by the web server, including source code, configuration files, uploaded media, and database dumps.
  • Complete denial of service: Deleting critical files like `configuration.php` can break the entire AVideo application, causing fatal errors on every page load.
  • Security control bypass: Deleting access control files such as `.htaccess` can expose protected resources.
  • Data loss: Uploaded videos, photos, and backups stored on the server can be destroyed.
  • Potential escalation: Removing security-critical files may weaken defenses and enable further attacks.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual HTTP requests to the `plugin/CloneSite/cloneServer.json.php` endpoint that include the `deleteDump` parameter with path traversal sequences such as `../../`.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending crafted HTTP requests with path traversal payloads in the `deleteDump` parameter to check if arbitrary files like `configuration.php` can be deleted.'}, {'type': 'list_item', 'content': 'Verify the target file exists by sending a request and checking for HTTP 200, 302, or 403 status codes.'}, {'type': 'list_item', 'content': 'Send a crafted request with a path traversal payload in `deleteDump`, for example: `../../videos/configuration.php`.'}, {'type': 'list_item', 'content': 'Check the server response for `"error": false` indicating successful deletion.'}, {'type': 'list_item', 'content': 'Confirm deletion by requesting the file again and expecting HTTP 404 or 500 errors.'}, {'type': 'paragraph', 'content': 'Example command using curl to test for the vulnerability (replace URL and credentials accordingly):'}, {'type': 'list_item', 'content': 'curl -i "https://targetsite/plugin/CloneSite/cloneServer.json.php?deleteDump=../../videos/configuration.php" -H "Authorization: Bearer <valid_clone_token>"'}] [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying the official patch that sanitizes the `deleteDump` parameter to prevent path traversal attacks.

The patch involves:

  • Using `basename()` on the `deleteDump` parameter to strip directory traversal components.
  • Constructing the full file path by concatenating the sanitized filename with the clones directory.
  • Validating the resolved real path of the target file to ensure it is within the allowed clones directory using `realpath()` and string comparison.
  • Rejecting any requests where the file path validation fails with an error message and terminating the operation.

Additionally, ensure that only trusted users have valid clone credentials, as the vulnerability requires valid clone authentication.

Upgrading to version 26.0 or later of WWBN AVideo, where this issue is fixed, is strongly recommended.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart