CVE-2026-33493
Received Received - Intake
Path Traversal in WWBN AVideo import.json.php Allows Data Theft

Publication date: 2026-03-23

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was hardened with a `realpath()` + directory prefix check to restrict paths to the `videos/` directory, `import.json.php` performs no directory restriction. This allows an authenticated user with upload permission to: (1) steal any other user's private video files by importing them into their own account, (2) read `.txt`/`.html`/`.htm` files adjacent to any `.mp4` file on the filesystem, and (3) delete `.mp4` and adjacent text files if writable by the web server process. Commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33493
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33493 is a path traversal vulnerability in the WWBN AVideo platform, specifically in the objects/import.json.php endpoint. This endpoint accepts a user-controlled POST parameter called fileURI, which is only validated by a regex to ensure it ends with ".mp4" but lacks proper directory restrictions.'}, {'type': 'paragraph', 'content': 'Because of this missing directory restriction, an authenticated user with upload permission can manipulate the fileURI parameter to access files outside the intended videos/ directory. This allows them to steal private video files belonging to other users, read adjacent text-based files (.txt, .html, .htm) that may contain sensitive information, and delete video and adjacent files if writable by the web server.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from insufficient path validation and lack of realpath() checks to confine file access within the videos/ directory, enabling path traversal attacks.'}] [2]

Impact Analysis

This vulnerability can have several serious impacts if you are using the affected AVideo platform:

  • Confidentiality breach: Authenticated users with upload permissions can steal private videos of other users by importing them into their own accounts.
  • Disclosure of sensitive information: Attackers can read adjacent text-based files (.txt, .html, .htm) located next to video files, potentially exposing sensitive data.
  • Data loss: Attackers can delete video files and their associated metadata if the files are writable by the web server process.

Overall, this vulnerability allows unauthorized access, theft, and deletion of private video content and related files, which can severely compromise the integrity and confidentiality of your video platform.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for suspicious POST requests to the objects/import.json.php endpoint that include the fileURI parameter. Since the vulnerability allows authenticated users with upload permissions to specify arbitrary file paths ending with .mp4, unusual or unexpected fileURI values pointing outside the videos/ directory may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'You can look for POST requests where the fileURI parameter contains path traversal patterns or points to files outside the intended videos directory.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity on a web server log might include:'}, {'type': 'list_item', 'content': 'Using grep to find POST requests with fileURI parameters ending in .mp4:'}, {'type': 'list_item', 'content': "grep -i 'POST.*fileURI=.*\\.mp4' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Searching for suspicious path traversal patterns (e.g., ../) in fileURI values:'}, {'type': 'list_item', 'content': "grep -i 'fileURI=.*\\.mp4' /var/log/apache2/access.log | grep '\\.\\./'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for HTTP 403 Forbidden responses from import.json.php may indicate attempts to access disallowed paths if the patch is applied.'}] [2]

Mitigation Strategies

Immediate mitigation steps include applying the patch that enforces strict validation of the fileURI parameter to restrict file access to the videos/ directory.

Specifically:

  • Implement realpath() checks to resolve the absolute path of the fileURI and verify it is within the allowed videos/ directory.
  • Reject requests where the resolved path is outside the videos/ directory with an HTTP 403 Forbidden response.
  • Continue to verify that the fileURI ends with .mp4 using a case-insensitive regex.
  • Ensure that only authenticated users with upload permissions can access the import functionality.

If patching is not immediately possible, consider restricting access to the import.json.php endpoint to trusted users only and monitoring logs for suspicious activity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33493. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart