CVE-2026-33681
Path Traversal SQL Injection in WWBN AVideo Plugin Endpoint
Publication date: 2026-03-23
Last updated on: 2026-03-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33681 is a high-severity path traversal vulnerability in the WWBN AVideo platform (versions up to 26.0) affecting the endpoint `objects/pluginRunDatabaseScript.json.php`.
This endpoint accepts a POST parameter called `name` which is passed to a function that constructs a file path without properly sanitizing the input for path traversal characters.
Because of this lack of sanitization, an authenticated admin or an attacker exploiting Cross-Site Request Forgery (CSRF) can traverse outside the intended plugin directory and execute arbitrary SQL scripts named `install.sql` located anywhere on the filesystem.
The SQL scripts are executed directly against the application database, allowing attackers to run arbitrary SQL queries.
Additionally, error messages from failed SQL queries leak raw SQL content and database error details, causing information disclosure.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Execution of arbitrary SQL queries on the application database.
- Creation of unauthorized admin accounts or modification of existing data.
- Extraction or leakage of sensitive data due to information disclosure from error messages.
- Remote exploitation via CSRF without needing direct admin credentials.
- Potential chaining with other vulnerabilities to write and execute malicious SQL files, leading to further compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "Detection of this vulnerability involves identifying attempts to exploit the unsanitized 'name' parameter in POST requests to the endpoint 'objects/pluginRunDatabaseScript.json.php'. Monitoring HTTP POST requests to this endpoint for suspicious 'name' values containing path traversal sequences (e.g., '../') can indicate exploitation attempts."}, {'type': 'paragraph', 'content': 'Additionally, checking web server logs or application logs for error messages that leak raw SQL content or MySQL errors related to this endpoint can help detect exploitation or attempted exploitation.'}, {'type': 'list_item', 'content': "Use network monitoring tools or web application firewalls (WAF) to filter or alert on POST requests to 'objects/pluginRunDatabaseScript.json.php' with 'name' parameters containing '../' or other path traversal patterns."}, {'type': 'list_item', 'content': "Inspect web server or application logs for HTTP POST requests to 'objects/pluginRunDatabaseScript.json.php' and look for error responses containing SQL errors or raw SQL content."}, {'type': 'list_item', 'content': "Example command to search web server logs for suspicious POST requests (assuming Apache logs):\n\n grep 'POST /objects/pluginRunDatabaseScript.json.php' /var/log/apache2/access.log | grep '\\.\\./'"}, {'type': 'list_item', 'content': "Example command to search application logs for SQL error messages related to this endpoint:\n\n grep 'pluginRunDatabaseScript.json.php' /path/to/application/logs/error.log | grep 'SQL'"}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include applying the security patch that sanitizes the 'name' parameter and adds CSRF protection to the vulnerable endpoint."}, {'type': 'list_item', 'content': "Sanitize the 'name' parameter by removing all characters except alphanumeric and underscore using a regular expression, for example:\n\n $pluginName = trim(preg_replace('/[^0-9a-z_]/i', '', $_POST['name']));"}, {'type': 'list_item', 'content': "Add CSRF token validation in 'pluginRunDatabaseScript.json.php' by verifying the global token with a function like 'isGlobalTokenValid()' and rejecting requests with invalid tokens."}, {'type': 'list_item', 'content': 'Enforce that the HTTP request method to this endpoint must be POST and reject other methods with appropriate HTTP status codes.'}, {'type': 'list_item', 'content': 'Update the frontend AJAX calls to include the global CSRF token in POST data to ensure token validation succeeds.'}, {'type': 'paragraph', 'content': 'If immediate patching is not possible, restrict access to the vulnerable endpoint to trusted administrators only and monitor for suspicious activity.'}] [1, 2]