Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process.
Published: 2026-05-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the view/update.php script of WWBN AVideo 29.0 and earlier, where the $_POST['updateFile'] parameter is treated as a relative path and fed directly to PHP's file() function. This allows an authenticated administrator to read the contents of any text file that the web‑server process can access, thereby leaking potentially sensitive data. The weakness is a classic path‑traversal issue, identified as CWE‑22, and the vulnerability is rated with a CVSS score of 6.9, indicating a moderate to high severity.

Affected Systems

The affected product is WWBN AVideo, version 29.0 and all earlier releases.

Risk and Exploitability

Because the attack requires administrator credentials, the threat surface is narrowed to the inside of the organization. The CVSS score suggests a significant risk if the vulnerability is exploited. The EPSS score is not available, so the precise likelihood of exploitation remains unknown, but the absence of a KEV listing indicates no public exploitation reports yet. Nonetheless, the potential for confidential information disclosure warrants prompt action once the applicable patch or mitigation is applied.

Generated by OpenCVE AI on May 29, 2026 at 15:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AVideo installation to the latest version which removes the vulnerable path handling code.
  • If an upgrade is not immediately feasible, restrict administrative access to the view/update.php endpoint or disable it entirely so that no authenticated user can trigger the file‑read logic.
  • Implement input validation on any remaining file‑path parameters, ensuring they reference only approved directories and reject traversal sequences such as "..". Adjust file‑system permissions so that the web‑server process cannot access directories that contain sensitive data.

Generated by OpenCVE AI on May 29, 2026 at 15:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3mjv-375j-6h92 AVideo: Authenticated Arbitrary File Read in view/update.php
History

Mon, 01 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Fri, 29 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process.
Title WWBN AVideo: Authenticated Arbitrary File Read in view/update.php
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T14:03:09.980Z

Reserved: 2026-05-13T05:51:48.667Z

Link: CVE-2026-45731

cve-icon Vulnrichment

Updated: 2026-05-29T14:02:59.350Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-29T14:16:31.383

Modified: 2026-06-01T18:39:21.090

Link: CVE-2026-45731

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')