Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a requester-controlled `chunkFile` parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass `isValidURLOrPath()`. That helper allows files under broad server directories including `/var/www/`, the application root, cache, tmp, and `videos`, only rejecting `.php` files. For an authenticated uploader editing their own video, this becomes an arbitrary local file read. The endpoint copies the attacker-chosen local file into the attacker's public video storage path, after which it can be downloaded over HTTP. Commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f contains a patch for the issue.
Published: 2026-03-23
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Arbitrary Local File Read
Action: Apply Patch
AI Analysis

Impact

An authenticated user with upload privileges can submit a chunkFile parameter that points to any local file on the server. The endpoint accepts the path if it passes a relaxed validation routine, then copies the chosen file into the user’s public video storage and serves it over HTTP. This provides the attacker with the ability to read any file that the web server process can access, including configuration files, credentials, or other sensitive data, thereby compromising confidentiality.

Affected Systems

The vulnerability affects WWBN AVideo versions up to and including 26.0. The flaw resides in the POST /objects/aVideoEncoder.json.php endpoint used for staged video uploads, where the chunkFile path is not properly restricted to trusted server‑generated locations.

Risk and Exploitability

The issue carries a CVSS score of 7.6, indicating high severity. Its EPSS score is below 1%, and it is not listed in the CISA known exploited vulnerabilities catalog, suggesting low current exploitation activity. Once authenticated, the attacker can craft a path to any readable file, copy it into a publicly accessible location, and download it. If file permissions permit, critical files such as /etc/passwd or application configuration files could be exposed.

Generated by OpenCVE AI on March 24, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f or upgrade to a newer AVideo release
  • Verify that the POST endpoint now rejects non‑server‑generated chunkFile paths and only accepts trusted, server‑generated locations
  • If an upgrade is not immediately possible, restrict the upload endpoint to server‑generated paths or disable it for users without upload privileges
  • Monitor application logs for suspicious file copy or download activity

Generated by OpenCVE AI on March 24, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4jw9-5hrc-m4j6 AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`
History

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a requester-controlled `chunkFile` parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass `isValidURLOrPath()`. That helper allows files under broad server directories including `/var/www/`, the application root, cache, tmp, and `videos`, only rejecting `.php` files. For an authenticated uploader editing their own video, this becomes an arbitrary local file read. The endpoint copies the attacker-chosen local file into the attacker's public video storage path, after which it can be downloaded over HTTP. Commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f contains a patch for the issue.
Title AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:13:08.253Z

Reserved: 2026-03-18T22:15:11.814Z

Link: CVE-2026-33354

cve-icon Vulnrichment

Updated: 2026-03-25T14:13:01.251Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T15:16:33.897

Modified: 2026-03-24T18:57:18.607

Link: CVE-2026-33354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:28:06Z

Weaknesses