CVE-2026-41058
Path Traversal in WWBN AVideo CloneSite Allows Arbitrary File Deletion
Publication date: 2026-04-21
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo, an open source video platform, in versions 29.0 and below. It involves the CloneSite feature's `deleteDump` parameter, where an incomplete fix failed to properly filter path traversal sequences. This allows an attacker to use `../../` sequences in the GET parameter to perform an `unlink()` operation on arbitrary files, effectively deleting files outside the intended directory.
How can this vulnerability impact me? :
The vulnerability can lead to the deletion of arbitrary files on the server where WWBN AVideo is hosted. This can cause significant disruption, including loss of important data or system files, potentially leading to denial of service or impacting the integrity and availability of the platform.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update WWBN AVideo to a version that includes the fix for the CloneSite `deleteDump` parameter path traversal issue. Specifically, apply the fix contained in commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 or later.