CVE-2026-46337
Path Traversal in WWBN AVideo
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 14.x (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46337 is a vulnerability in the WWBN AVideo platform (versions up to and including 14.x) where an unauthenticated remote attacker can exploit a path traversal flaw in the `view/img/image404Raw.php` endpoint.
The vulnerability occurs because the `image` GET parameter is directly concatenated into a filesystem path without proper validation, allowing attackers to use sequences like `../` to access files outside the intended directories.
The endpoint attempts to verify that the requested file is an image by checking its headers with `getimagesize()`, but this only confirms the file format and does not prevent unauthorized file access.
As a result, attackers can read arbitrary image files anywhere on the server that the PHP user can open, including private user-profile photos, admin-uploaded thumbnails, encrypted-video poster frames, and images from sibling applications.
No authentication is required to exploit this vulnerability, and the endpoint even falls back to using the request URI, further increasing the attack surface.
How can this vulnerability impact me? :
This vulnerability can lead to severe privacy violations by allowing attackers to enumerate and exfiltrate private images stored on the server.
Attackers can access sensitive images such as private user-profile photos, admin-uploaded thumbnails, and encrypted-video poster frames that are normally protected by access controls.
Although it does not expose source code or credentials directly, the unauthorized disclosure of private images can damage user trust and potentially lead to further exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized access attempts to the vulnerable endpoint `view/img/image404Raw.php` with path traversal sequences in the `image` GET parameter.
You can monitor web server logs for requests containing patterns like `../` or other path traversal sequences targeting this endpoint.
Example commands to detect such attempts include:
- Using grep to find suspicious requests in Apache or Nginx logs: `grep 'view/img/image404Raw.php' /var/log/apache2/access.log | grep '\.\./'`
- Using curl to test the vulnerability manually: `curl 'http://yourserver/view/img/image404Raw.php?image=../../../../etc/passwd'` to see if arbitrary files can be read.
- Using intrusion detection systems (IDS) or web application firewalls (WAF) to alert on path traversal patterns targeting this endpoint.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint and implementing input validation to block path traversal sequences.
Specifically:
- Block or restrict access to `view/img/image404Raw.php` endpoint via web server configuration or firewall rules.
- Implement input validation to reject any `image` parameter values containing `../` or other path traversal patterns.
- Apply the recommended fix involving three layers of validation: rejecting path traversal sequences, resolving real paths with prefix containment checks, and maintaining image format verification.
- Monitor and audit logs for suspicious access attempts.
Since the vulnerability is unpatched in the current master branch, consider isolating the affected service or applying temporary access controls until a patch is available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote attackers to read arbitrary image files, including private user-profile photos and other sensitive images that are normally protected by access controls.
This unauthorized access and potential exfiltration of private images can lead to severe privacy violations.
Such privacy breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data.