WWBN AVideo’s HLS streaming endpoint, located at view/hls.php, contains a path traversal flaw that permits an unauthenticated attacker to bypass authorization checks and stream private or paid video content. The vulnerability arises from inconsistent handling of the videoDirectory GET parameter: one code path truncates the value at the first slash for authorization, while another preserves '..' sequences for file access, creating a split-oracle condition. Consequently, a crafted request can satisfy the authorization check for one video identifier while actually serving the media of another protected video, effectively leaking confidential footage.

All installations of WWBN AVideo released before version 26.0 are affected. The default vendor/product name used by the CNA is WWBN:AVideo. There is no further sub‑version restriction listed, so any legacy deployment older than 26.0 is potentially vulnerable.

The CVSS score of 7.5 signifies a high severity level for confidentiality. The EPSS score is below 1%, indicating that exploitation likelihood is currently low, and the vulnerability is not yet listed in CISA’s KEV catalog. However, the flaw is remotely exploitable from any unauthenticated user capable of issuing HTTP requests to the view/hls.php endpoint with a specially crafted videoDirectory value. The attack vector is likely a direct web request; no special privileges, network access, or additional software is required.