Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue.
Published: 2026-03-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion and potential denial of service
Action: Patch immediately
AI Analysis

Impact

The vulnerability resides in the deleteDump parameter of the cloneSite plugin for the AVideo video platform. This parameter is passed directly to the unlink() function without sanitization, enabling an attacker who gains valid clone credentials to inject path traversal sequences such as ../../. This allows deletion of any file accessible to the web server, including critical configuration files like configuration.php. The consequence is loss of service or facilitation of further attacks through removal of security‑critical components.

Affected Systems

AVideo, an open‑source video hosting platform distributed by WWBN, is affected for all releases prior to version 26.0. Users operating any pre‑26.0 build are susceptible to this flaw.

Risk and Exploitability

The CVSS base score of 8.1 places this issue in the high‑severity range. An EPSS score below 1 % indicates a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. However, an attacker must possess clone credentials to craft the malicious deleteDump request. Once authenticated, the path traversal can be used to delete arbitrary files, causing immediate denial of service or enabling cascading attacks through removal of security files. Given the high impact and the need for authenticated access, the risk is considerable for any organization running vulnerable AVideo instances.

Generated by OpenCVE AI on March 24, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AVideo to version 26.0 or later, which removes the vulnerable deleteDump handling
  • Verify that the cloneSite plugin is not exposed to untrusted users by restricting clone feature access or disabling the feature if not required
  • If an upgrade is delayed, remove or rename the configuration files such as configuration.php and place them in a protected location to mitigate accidental deletion
  • Apply general security best practices: enforce least‑privilege for clone users, monitor file integrity, and regularly scan for unintended file modifications

Generated by OpenCVE AI on March 24, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xmjm-86qv-g226 AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter
History

Tue, 24 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Sun, 22 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue.
Title AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T17:48:13.332Z

Reserved: 2026-03-18T18:55:47.426Z

Link: CVE-2026-33293

cve-icon Vulnrichment

Updated: 2026-03-24T17:48:05.525Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-22T17:17:08.950

Modified: 2026-03-24T21:14:05.510

Link: CVE-2026-33293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:30Z

Weaknesses