Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.
Published: 2026-03-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server Filesystem Enumeration
Action: Apply Patch
AI Analysis

Impact

AVideo’s listFiles.json.php endpoint allows an authenticated user to pass any absolute path to the server, which the application then feeds directly to the glob() function. This path‑traversal flaw lets the attacker enumerate .mp4 files and discover their full filesystem paths, even outside the web root, exposing private media and other sensitive files.

Affected Systems

The vulnerability affects the WWBN AVideo open‑source video platform. Versions prior to 26.0 are impacted; the fix was implemented in version 26.0.

Risk and Exploitability

The CVSS base score is 4.3 and the EPSS score is less than 1%, indicating a low probability of exploitation in the wild. The flaw is limited to authenticated uploaders, so an attacker would need valid credentials. However, the potential for confidential data leakage makes the issue significant enough to address promptly. The vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on March 23, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AVideo version 26.0 or later to apply the patch.
  • If upgrading is not immediately possible, limit the uploader role’s file system permissions so glob() can only access the intended media directories and deny access to other paths.
  • Verify that the server’s web root configuration continues to prevent traversal outside the designated media directories.
  • Monitor application logs for unusual file enumeration activity and enforce strict access controls on user roles.

Generated by OpenCVE AI on March 23, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4wmm-6qxj-fpj4 AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration
History

Mon, 13 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
References

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.
Title AVideo has a Path Traversal in listFiles.json.php that Enables Server Filesystem Enumeration
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T17:41:47.151Z

Reserved: 2026-03-18T02:42:27.508Z

Link: CVE-2026-33238

cve-icon Vulnrichment

Updated: 2026-03-24T13:42:06.819Z

cve-icon NVD

Status : Modified

Published: 2026-03-21T00:16:26.700

Modified: 2026-04-13T18:16:29.743

Link: CVE-2026-33238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:31Z

Weaknesses