CVE-2026-41062
Received Received - Intake
Directory Traversal in WWBN AVideo Allows Arbitrary File Read

Publication date: 2026-04-21

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream function `try_get_contents_from_local()` in `objects/functionsFile.php` uses `explode('/videos/', $url)` on the **full URL string** including the query string. An attacker can place the `/videos/../../` traversal payload in the query string to bypass the security check and read arbitrary files from the server filesystem. Commit bd11c16ec894698e54e2cdae25026c61ad1ed441 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41062
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to read arbitrary files from the server filesystem by bypassing directory traversal protections. Such unauthorized access to sensitive files could lead to exposure of personal or protected data.

Exposure of sensitive data due to this vulnerability may impact compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and health information.

Executive Summary

This vulnerability exists in WWBN AVideo versions 29.0 and below. It is a directory traversal issue where the security fix only checks the URL path component for ".." sequences, but the downstream function processes the full URL including the query string. An attacker can exploit this by placing a traversal payload in the query string, bypassing the security check and allowing them to read arbitrary files from the server filesystem.

Impact Analysis

This vulnerability can allow an attacker to read arbitrary files on the server. This could lead to exposure of sensitive information stored on the server, potentially compromising confidentiality. The CVSS score indicates a high impact on confidentiality with a base score of 6.5.

Mitigation Strategies

To mitigate this vulnerability, update WWBN AVideo to a version that includes the fix from commit bd11c16ec894698e54e2cdae25026c61ad1ed441, which properly addresses the directory traversal issue.

Avoid using versions 29.0 and below, as they contain an incomplete fix that can be bypassed via specially crafted query strings.

Detection Guidance

This vulnerability involves directory traversal via specially crafted URLs that include the traversal payload in the query string, bypassing checks that only inspect the URL path component.

To detect exploitation attempts on your network or system, you can monitor web server logs for requests containing suspicious patterns such as '/videos/../../' in the query string.

  • Use grep or similar tools to search access logs for traversal patterns in query strings, for example:
  • grep -E '\/videos\/\.\./\.\./' /var/log/apache2/access.log
  • grep -E '\/videos\/\.\./' /var/log/nginx/access.log

Additionally, you can use network monitoring tools or intrusion detection systems (IDS) to alert on HTTP requests containing directory traversal sequences in query parameters.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41062. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart