CVE-2026-33493
Path Traversal in WWBN AVideo import.json.php Allows Data Theft
Publication date: 2026-03-23
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33493 is a path traversal vulnerability in the WWBN AVideo platform, specifically in the objects/import.json.php endpoint. This endpoint accepts a user-controlled POST parameter called fileURI, which is only validated by a regex to ensure it ends with ".mp4" but lacks proper directory restrictions.'}, {'type': 'paragraph', 'content': 'Because of this missing directory restriction, an authenticated user with upload permission can manipulate the fileURI parameter to access files outside the intended videos/ directory. This allows them to steal private video files belonging to other users, read adjacent text-based files (.txt, .html, .htm) that may contain sensitive information, and delete video and adjacent files if writable by the web server.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from insufficient path validation and lack of realpath() checks to confine file access within the videos/ directory, enabling path traversal attacks.'}] [2]
How can this vulnerability impact me? :
This vulnerability can have several serious impacts if you are using the affected AVideo platform:
- Confidentiality breach: Authenticated users with upload permissions can steal private videos of other users by importing them into their own accounts.
- Disclosure of sensitive information: Attackers can read adjacent text-based files (.txt, .html, .htm) located next to video files, potentially exposing sensitive data.
- Data loss: Attackers can delete video files and their associated metadata if the files are writable by the web server process.
Overall, this vulnerability allows unauthorized access, theft, and deletion of private video content and related files, which can severely compromise the integrity and confidentiality of your video platform.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for suspicious POST requests to the objects/import.json.php endpoint that include the fileURI parameter. Since the vulnerability allows authenticated users with upload permissions to specify arbitrary file paths ending with .mp4, unusual or unexpected fileURI values pointing outside the videos/ directory may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'You can look for POST requests where the fileURI parameter contains path traversal patterns or points to files outside the intended videos directory.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity on a web server log might include:'}, {'type': 'list_item', 'content': 'Using grep to find POST requests with fileURI parameters ending in .mp4:'}, {'type': 'list_item', 'content': "grep -i 'POST.*fileURI=.*\\.mp4' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Searching for suspicious path traversal patterns (e.g., ../) in fileURI values:'}, {'type': 'list_item', 'content': "grep -i 'fileURI=.*\\.mp4' /var/log/apache2/access.log | grep '\\.\\./'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for HTTP 403 Forbidden responses from import.json.php may indicate attempts to access disallowed paths if the patch is applied.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch that enforces strict validation of the fileURI parameter to restrict file access to the videos/ directory.
Specifically:
- Implement realpath() checks to resolve the absolute path of the fileURI and verify it is within the allowed videos/ directory.
- Reject requests where the resolved path is outside the videos/ directory with an HTTP 403 Forbidden response.
- Continue to verify that the fileURI ends with .mp4 using a case-insensitive regex.
- Ensure that only authenticated users with upload permissions can access the import functionality.
If patching is not immediately possible, consider restricting access to the import.json.php endpoint to trusted users only and monitoring logs for suspicious activity.