Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream function `try_get_contents_from_local()` in `objects/functionsFile.php` uses `explode('/videos/', $url)` on the **full URL string** including the query string. An attacker can place the `/videos/../../` traversal payload in the query string to bypass the security check and read arbitrary files from the server filesystem. Commit bd11c16ec894698e54e2cdae25026c61ad1ed441 contains an updated fix.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file read via directory traversal
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from an incomplete validation of the downloadURL query string in the AVideo ReceiveImage endpoint, allowing an attacker to supply a "/videos/../../" traversal payload that bypasses the path check and causes the server to retrieve local files. This directory traversal flaw can be exploited to read arbitrary files on the server, potentially exposing sensitive data such as configuration files, credentials, or source code and paving the way for further compromise.

Affected Systems

WWBN AVideo versions 29.0 and earlier are affected, as they include the buggy handler functions. The issue was introduced in commit 2375eb5e0 and remains until the patch applied in commit bd11c16ec894698e54e2cdae25026c61ad1ed441.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score is currently unavailable, suggesting that no high‑impact exploitation trend is documented. The vulnerability is not listed in the CISA KEV catalog. As the directory traversal is triggered via a crafted HTTP request, the likely attack vector is remote traffic directed at the API endpoint; an attacker only needs network access to the host. Given the impact of arbitrary file read, any compromise of this resource can lead to sensitive disclosure and further exploitation. While no active exploitation has been reported currently, the flaw warrants prompt remediation.

Generated by OpenCVE AI on April 22, 2026 at 06:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version that includes commit bd11c16, which implements the proper validation of the full URL string.
  • If an upgrade is not immediately feasible, apply the patch manually by replacing the vulnerable functions or merging the commit into the deployment.
  • Restrict access to the ReceiveImage endpoint to trusted networks or enforce authentication so that only authorized clients can use the downloadURL parameter.

Generated by OpenCVE AI on April 22, 2026 at 06:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream function `try_get_contents_from_local()` in `objects/functionsFile.php` uses `explode('/videos/', $url)` on the **full URL string** including the query string. An attacker can place the `/videos/../../` traversal payload in the query string to bypass the security check and read arbitrary files from the server filesystem. Commit bd11c16ec894698e54e2cdae25026c61ad1ed441 contains an updated fix.
Title WWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in ReceiveImage downloadURL parameters
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T17:57:23.136Z

Reserved: 2026-04-16T16:43:03.173Z

Link: CVE-2026-41062

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T23:16:21.520

Modified: 2026-04-21T23:16:21.520

Link: CVE-2026-41062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses