CVE-2026-33681
Received Received - Intake
Path Traversal SQL Injection in WWBN AVideo Plugin Endpoint

Publication date: 2026-03-23

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33681
EUVD
EUVD-2026-14492
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33681 is a high-severity path traversal vulnerability in the WWBN AVideo platform (versions up to 26.0) affecting the endpoint `objects/pluginRunDatabaseScript.json.php`.

This endpoint accepts a POST parameter called `name` which is passed to a function that constructs a file path without properly sanitizing the input for path traversal characters.

Because of this lack of sanitization, an authenticated admin or an attacker exploiting Cross-Site Request Forgery (CSRF) can traverse outside the intended plugin directory and execute arbitrary SQL scripts named `install.sql` located anywhere on the filesystem.

The SQL scripts are executed directly against the application database, allowing attackers to run arbitrary SQL queries.

Additionally, error messages from failed SQL queries leak raw SQL content and database error details, causing information disclosure.

Impact Analysis

This vulnerability can have severe impacts including:

  • Execution of arbitrary SQL queries on the application database.
  • Creation of unauthorized admin accounts or modification of existing data.
  • Extraction or leakage of sensitive data due to information disclosure from error messages.
  • Remote exploitation via CSRF without needing direct admin credentials.
  • Potential chaining with other vulnerabilities to write and execute malicious SQL files, leading to further compromise.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "Detection of this vulnerability involves identifying attempts to exploit the unsanitized 'name' parameter in POST requests to the endpoint 'objects/pluginRunDatabaseScript.json.php'. Monitoring HTTP POST requests to this endpoint for suspicious 'name' values containing path traversal sequences (e.g., '../') can indicate exploitation attempts."}, {'type': 'paragraph', 'content': 'Additionally, checking web server logs or application logs for error messages that leak raw SQL content or MySQL errors related to this endpoint can help detect exploitation or attempted exploitation.'}, {'type': 'list_item', 'content': "Use network monitoring tools or web application firewalls (WAF) to filter or alert on POST requests to 'objects/pluginRunDatabaseScript.json.php' with 'name' parameters containing '../' or other path traversal patterns."}, {'type': 'list_item', 'content': "Inspect web server or application logs for HTTP POST requests to 'objects/pluginRunDatabaseScript.json.php' and look for error responses containing SQL errors or raw SQL content."}, {'type': 'list_item', 'content': "Example command to search web server logs for suspicious POST requests (assuming Apache logs):\n\n grep 'POST /objects/pluginRunDatabaseScript.json.php' /var/log/apache2/access.log | grep '\\.\\./'"}, {'type': 'list_item', 'content': "Example command to search application logs for SQL error messages related to this endpoint:\n\n grep 'pluginRunDatabaseScript.json.php' /path/to/application/logs/error.log | grep 'SQL'"}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include applying the security patch that sanitizes the 'name' parameter and adds CSRF protection to the vulnerable endpoint."}, {'type': 'list_item', 'content': "Sanitize the 'name' parameter by removing all characters except alphanumeric and underscore using a regular expression, for example:\n\n $pluginName = trim(preg_replace('/[^0-9a-z_]/i', '', $_POST['name']));"}, {'type': 'list_item', 'content': "Add CSRF token validation in 'pluginRunDatabaseScript.json.php' by verifying the global token with a function like 'isGlobalTokenValid()' and rejecting requests with invalid tokens."}, {'type': 'list_item', 'content': 'Enforce that the HTTP request method to this endpoint must be POST and reject other methods with appropriate HTTP status codes.'}, {'type': 'list_item', 'content': 'Update the frontend AJAX calls to include the global CSRF token in POST data to ensure token validation succeeds.'}, {'type': 'paragraph', 'content': 'If immediate patching is not possible, restrict access to the vulnerable endpoint to trusted administrators only and monitor for suspicious activity.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33681. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart