CVE-2026-39369
Directory Traversal in WWBN AVideo Enables Local File Exposure
Publication date: 2026-04-07
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39369 is a high-severity vulnerability in WWBN AVideo versions up to 26.0 that allows an authenticated uploader to perform a path traversal attack. This occurs in the endpoint objects/aVideoEncoderReceiveImage.json.php, which is intended to fetch GIF images via a parameter called downloadURL_gifimage.
The application tries to prevent directory traversal by removing '../' sequences, but this scrubbing can be bypassed using overlapping traversal inputs like '....//'. This allows attackers to specify same-origin URLs under /videos/... that actually resolve to arbitrary local filesystem paths.
As a result, the attacker can read local server files such as /etc/passwd or application source files. These files are then republished through a public GIF media URL because the system incorrectly handles invalid GIF cleanup, leaving non-image payloads accessible.
How can this vulnerability impact me? :
This vulnerability allows an authenticated uploader to read arbitrary local files on the server, including sensitive system files, application source code, and deployment-specific configuration files.
The attacker can then republish these files through publicly accessible GIF URLs, potentially exposing confidential information to unauthorized users.
The impact includes a high confidentiality breach, with additional risks to integrity and availability, as indicated by the CVSS score.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint objects/aVideoEncoderReceiveImage.json.php containing the parameter downloadURL_gifimage with crafted traversal payloads such as '....//' sequences.
A proof of concept involves logging in as an uploader, creating a video, and sending a POST request with a downloadURL_gifimage parameter pointing to URLs like https://localhost/videos/....//....//....//etc/passwd.
To detect exploitation attempts, you can search web server logs for POST requests to objects/aVideoEncoderReceiveImage.json.php with suspicious downloadURL_gifimage parameters containing traversal patterns.
- Example command to search logs for suspicious traversal payloads: grep -E "downloadURL_gifimage=.*(\.\.\/|\.\.\\|\.\.\/\/|\.\.\\\\)" /path/to/access.log
- Use curl or similar tools to test the endpoint with crafted payloads: curl -X POST -d "downloadURL_gifimage=https://localhost/videos/....//....//etc/passwd" https://your-avideo-instance/objects/aVideoEncoderReceiveImage.json.php -b cookies.txt
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the vulnerable endpoint objects/aVideoEncoderReceiveImage.json.php for authenticated uploaders until a patch is applied.
Implement strict input validation to reject any remote image URL whose decoded path contains traversal markers.
Disallow attacker-controlled same-origin /videos/... fetches that resolve to local file reads by enforcing strict path resolution using realpath() and base-directory allowlists.
Validate GIF content before saving it to public media storage and ensure invalid-image cleanup operates on the correct destination path.
Monitor and audit uploader activity for suspicious requests and consider applying any available patches or updates from WWBN/AVideo as soon as possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated uploader to read arbitrary local server files, including sensitive system files, application source code, and deployment-specific configuration, and republish them through publicly accessible GIF URLs.
Such unauthorized disclosure of sensitive data could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to and disclosure of personal and sensitive information.
Because the vulnerability enables exposure of potentially sensitive files, organizations using affected versions of WWBN AVideo may face increased risk of data breaches and regulatory penalties if personal or protected health information is compromised.