Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.
Published: 2026-04-07
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability resides in the GIF poster generation component of WWBN AVideo. An authenticated uploader can request the same-origin /videos/... URL to trigger object/aVideoEncoderReceiveImage.json.php, which mistakenly allows directory traversal before accessing files in the GIF storage directory. This flaw lets a malicious user read arbitrary server‑side files, such as /etc/passwd or the application's source code, and ship them back through a publicly accessible GIF media URL. The weakness is a classic path traversal condition, specifically CWE‑22, and results in confidentiality loss of sensitive filesystem content.

Affected Systems

The issue affects the open source WWBN AVideo platform, specifically all releases version 26.0 and earlier. Administrators or users who have uploaded content to the platform are able to exploit this flaw. Clients using older AVideo deployments are therefore at risk until the platform is updated.

Risk and Exploitability

The CVSS score of 7.6 indicates a high‑severity threat. Because the exploitation requires authentication as an uploader, an attacker must have valid account credentials, which reduces the overall attack surface compared to unauthenticated flaws. EPSS data is not available, and the vulnerability is not listed in the KEV catalog, but the high severity score suggests it should be treated with urgency. The attacker can compromise confidentiality but cannot directly execute code on the server through this vector.

Generated by OpenCVE AI on April 7, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to WWBN AVideo version 26.1 or later when it is released; if an official patch is not yet available, disable the GIF poster feature for authenticated uploads until a fix is deployed.
  • Restrict access to the /videos/ directory by applying stricter file system permissions to prevent unprivileged users from accessing the GIF storage path.
  • Enforce tighter authentication controls and monitor upload activity for abnormal patterns that could indicate exploitation.
  • If a temporary workaround is necessary, block access to the /videos/... endpoint for unauthenticated users and validate or sanitize all file paths before fetching media.

Generated by OpenCVE AI on April 7, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f4f9-627c-jh33 WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
History

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.
Title WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T16:05:11.967Z

Reserved: 2026-04-06T21:29:17.350Z

Link: CVE-2026-39369

cve-icon Vulnrichment

Updated: 2026-04-08T14:37:16.894Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:31.320

Modified: 2026-04-22T18:50:33.113

Link: CVE-2026-39369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:46:18Z

Weaknesses