Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.
Published: 2026-04-21
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion
Action: Immediate Patch
AI Analysis

Impact

An incomplete patch in AVideo’s CloneSite feature leaves the deleteDump GET parameter without any path‑traversal filtering. An attacker who can send crafted URLs that contain "../../" sequences can cause the server to execute unlink() on arbitrary files. The result is unauthorized deletion of files on the host, which can lead to data loss, service disruption, or further compromise if critical system files are targeted.

Affected Systems

WWBN AVideo versions 29.0 and earlier are affected. These releases lack the full path‑validation logic that was added in commit 3c729717c26f160014a5c86b0b6accdbd613e7b2.

Risk and Exploitability

The CVSS score of 8.1 classifies this flaw as high severity, and although EPSS data is not available, the weakness is present in a publicly reachable web endpoint, making remote exploitation feasible. The vulnerability is not listed in the CISA KEV catalog, but the lack of mitigation in affected releases poses a significant risk to exposed installations.

Generated by OpenCVE AI on April 22, 2026 at 06:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the AVideo patch that implements proper path‑traversal validation (commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 or any newer release that includes this fix.
  • Restrict access to the CloneSite deleteDump endpoint so that only authorized administrative accounts can trigger it.
  • Review and tighten file system permissions for directories used by deleteDump to restrict unlink operations to the application’s process user.

Generated by OpenCVE AI on April 22, 2026 at 06:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.
Title AVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T22:43:17.095Z

Reserved: 2026-04-16T16:43:03.173Z

Link: CVE-2026-41058

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T23:16:21.117

Modified: 2026-04-21T23:16:21.117

Link: CVE-2026-41058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses