Executive Summary

CVE-2026-46337 is a vulnerability in the WWBN AVideo platform (versions up to and including 14.x) where an unauthenticated remote attacker can exploit a path traversal flaw in the `view/img/image404Raw.php` endpoint.

The vulnerability occurs because the `image` GET parameter is directly concatenated into a filesystem path without proper validation, allowing attackers to use sequences like `../` to access files outside the intended directories.

The endpoint attempts to verify that the requested file is an image by checking its headers with `getimagesize()`, but this only confirms the file format and does not prevent unauthorized file access.

As a result, attackers can read arbitrary image files anywhere on the server that the PHP user can open, including private user-profile photos, admin-uploaded thumbnails, encrypted-video poster frames, and images from sibling applications.

No authentication is required to exploit this vulnerability, and the endpoint even falls back to using the request URI, further increasing the attack surface.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to severe privacy violations by allowing attackers to enumerate and exfiltrate private images stored on the server.

Attackers can access sensitive images such as private user-profile photos, admin-uploaded thumbnails, and encrypted-video poster frames that are normally protected by access controls.

Although it does not expose source code or credentials directly, the unauthorized disclosure of private images can damage user trust and potentially lead to further exploitation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for unauthorized access attempts to the vulnerable endpoint `view/img/image404Raw.php` with path traversal sequences in the `image` GET parameter.

You can monitor web server logs for requests containing patterns like `../` or other path traversal sequences targeting this endpoint.

Example commands to detect such attempts include:

• Using grep to find suspicious requests in Apache or Nginx logs: `grep 'view/img/image404Raw.php' /var/log/apache2/access.log | grep '\.\./'`
• Using curl to test the vulnerability manually: `curl 'http://yourserver/view/img/image404Raw.php?image=../../../../etc/passwd'` to see if arbitrary files can be read.
• Using intrusion detection systems (IDS) or web application firewalls (WAF) to alert on path traversal patterns targeting this endpoint.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint and implementing input validation to block path traversal sequences.

Specifically:

• Block or restrict access to `view/img/image404Raw.php` endpoint via web server configuration or firewall rules.
• Implement input validation to reject any `image` parameter values containing `../` or other path traversal patterns.
• Apply the recommended fix involving three layers of validation: rejecting path traversal sequences, resolving real paths with prefix containment checks, and maintaining image format verification.
• Monitor and audit logs for suspicious access attempts.

Since the vulnerability is unpatched in the current master branch, consider isolating the affected service or applying temporary access controls until a patch is available.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated remote attackers to read arbitrary image files, including private user-profile photos and other sensitive images that are normally protected by access controls.

This unauthorized access and potential exfiltration of private images can lead to severe privacy violations.

Such privacy breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data.

Useful 0 Not Useful 0