Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was hardened with a `realpath()` + directory prefix check to restrict paths to the `videos/` directory, `import.json.php` performs no directory restriction. This allows an authenticated user with upload permission to: (1) steal any other user's private video files by importing them into their own account, (2) read `.txt`/`.html`/`.htm` files adjacent to any `.mp4` file on the filesystem, and (3) delete `.mp4` and adjacent text files if writable by the web server process. Commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 contains a patch.
Published: 2026-03-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file read, deletion, and private video theft
Action: Apply patch
AI Analysis

Impact

The vulnerability resides in the import.json.php endpoint, where a user-controlled fileURI POST parameter is only validated for a .mp4 suffix. This oversight allows an authenticated user with upload permissions to supply arbitrary file paths, enabling the reading of any file on the server’s filesystem that is adjacent to an .mp4 file. As a result, attackers can steal other users’ private videos, exfiltrate sensitive text or HTML files located next to video files, and delete both .mp4 files and their neighboring files if the web server process has write permission. The weakness is a classic path‑traversal flaw (CWE‑22).

Affected Systems

The affected product is WWBN AVideo. All releases up to and including version 26.0 are vulnerable. Users running those versions of the platform are susceptible to the described attacks. The issue was known to the developers and a patch commit (e110ff542acdd7e3b81bdd02b8402b9f6a61ad78) addresses the flaw.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity level. The EPSS score of less than 1% suggests that the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. However, the requirement for authenticated upload permission means that the attacker must be a recognized user, which could be feasible in environments with lax account controls. The lack of proper directory restrictions is the core exploit vector, and once an authenticated user exploits the flaw, they can perform the full set of actions described above. Prompt remediation is therefore advisable.

Generated by OpenCVE AI on March 24, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch to import.json.php (commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 or newer version excluding the vulnerability).
  • Verify that the endpoint now uses realpath() and directory prefix checks to restrict file access to the videos/ directory.
  • If an immediate patch is not possible, remove or limit upload permissions for users to prevent unauthorized use of import.json.php.
  • Monitor server logs for unusual fileURI parameters or repeated attempts to read non‑video files.

Generated by OpenCVE AI on March 24, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-83xq-8jxj-4rxm AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter
History

Tue, 24 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was hardened with a `realpath()` + directory prefix check to restrict paths to the `videos/` directory, `import.json.php` performs no directory restriction. This allows an authenticated user with upload permission to: (1) steal any other user's private video files by importing them into their own account, (2) read `.txt`/`.html`/`.htm` files adjacent to any `.mp4` file on the filesystem, and (3) delete `.mp4` and adjacent text files if writable by the web server process. Commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 contains a patch.
Title AVideo has a Path Traversal in import.json.php that Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T16:33:28.572Z

Reserved: 2026-03-20T16:59:08.887Z

Link: CVE-2026-33493

cve-icon Vulnrichment

Updated: 2026-03-23T16:33:25.613Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T16:16:49.433

Modified: 2026-03-24T18:17:24.070

Link: CVE-2026-33493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:29Z

Weaknesses