CVE-2026-39369
Received Received - Intake
Directory Traversal in WWBN AVideo Enables Local File Exposure

Publication date: 2026-04-07

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39369
EUVD
EUVD-2026-19883
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39369 is a high-severity vulnerability in WWBN AVideo versions up to 26.0 that allows an authenticated uploader to perform a path traversal attack. This occurs in the endpoint objects/aVideoEncoderReceiveImage.json.php, which is intended to fetch GIF images via a parameter called downloadURL_gifimage.

The application tries to prevent directory traversal by removing '../' sequences, but this scrubbing can be bypassed using overlapping traversal inputs like '....//'. This allows attackers to specify same-origin URLs under /videos/... that actually resolve to arbitrary local filesystem paths.

As a result, the attacker can read local server files such as /etc/passwd or application source files. These files are then republished through a public GIF media URL because the system incorrectly handles invalid GIF cleanup, leaving non-image payloads accessible.

Impact Analysis

This vulnerability allows an authenticated uploader to read arbitrary local files on the server, including sensitive system files, application source code, and deployment-specific configuration files.

The attacker can then republish these files through publicly accessible GIF URLs, potentially exposing confidential information to unauthorized users.

The impact includes a high confidentiality breach, with additional risks to integrity and availability, as indicated by the CVSS score.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint objects/aVideoEncoderReceiveImage.json.php containing the parameter downloadURL_gifimage with crafted traversal payloads such as '....//' sequences.

A proof of concept involves logging in as an uploader, creating a video, and sending a POST request with a downloadURL_gifimage parameter pointing to URLs like https://localhost/videos/....//....//....//etc/passwd.

To detect exploitation attempts, you can search web server logs for POST requests to objects/aVideoEncoderReceiveImage.json.php with suspicious downloadURL_gifimage parameters containing traversal patterns.

  • Example command to search logs for suspicious traversal payloads: grep -E "downloadURL_gifimage=.*(\.\.\/|\.\.\\|\.\.\/\/|\.\.\\\\)" /path/to/access.log
  • Use curl or similar tools to test the endpoint with crafted payloads: curl -X POST -d "downloadURL_gifimage=https://localhost/videos/....//....//etc/passwd" https://your-avideo-instance/objects/aVideoEncoderReceiveImage.json.php -b cookies.txt
Mitigation Strategies

Immediate mitigation steps include restricting or disabling the vulnerable endpoint objects/aVideoEncoderReceiveImage.json.php for authenticated uploaders until a patch is applied.

Implement strict input validation to reject any remote image URL whose decoded path contains traversal markers.

Disallow attacker-controlled same-origin /videos/... fetches that resolve to local file reads by enforcing strict path resolution using realpath() and base-directory allowlists.

Validate GIF content before saving it to public media storage and ensure invalid-image cleanup operates on the correct destination path.

Monitor and audit uploader activity for suspicious requests and consider applying any available patches or updates from WWBN/AVideo as soon as possible.

Compliance Impact

This vulnerability allows an authenticated uploader to read arbitrary local server files, including sensitive system files, application source code, and deployment-specific configuration, and republish them through publicly accessible GIF URLs.

Such unauthorized disclosure of sensitive data could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to and disclosure of personal and sensitive information.

Because the vulnerability enables exposure of potentially sensitive files, organizations using affected versions of WWBN AVideo may face increased risk of data breaches and regulatory penalties if personal or protected health information is compromised.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39369. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart