The vulnerability arises from the pluginRunDatabaseScript.json.php endpoint in AVideo, which accepts a server-side name parameter through a POST request and passes it directly to the Plugin::getDatabaseFileName() function without sanitizing for path traversal characters. This flaw allows an authenticated administrator, or an attacker who can perform a cross‑site request forgery on an authenticated admin session, to specify a filename that points outside the plugin directory. The endpoint then interprets the selected file as a raw SQL script and executes its contents against the application database. An attacker exploiting this flaw could run arbitrary SQL commands, potentially extracting sensitive data, modifying or deleting records, and compromising the integrity and confidentiality of the platform. The impact is therefore a form of remote database code execution rather than arbitrary system code execution.

The affected product is the open‑source video platform developed by WWBN, known as AVideo. Versions of the software up through 26.0 contain the flaw. Any deployment of AVideo within these version ranges is susceptible if the pluginRunDatabaseScript.json.php endpoint is reachable and an admin or CSRF token can be leveraged.

The Common Vulnerability Scoring System assigns a 7.2 (High) severity to this flaw, reflecting significant potential damage if exploited. The Exploit Prediction Scoring System reports an exploitation probability of less than 1 %, indicating that while feasible, it is unlikely to be targeted widely at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no publicly disclosed exploits are known. A likely attack path requires authenticated administrative access or a successful CSRF attack, after which the attacker can supply a malicious pathname to execute arbitrary SQL files located anywhere on the file system. The presence of a patch in the project’s repository mitigates the risk once applied.