Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
AVideo Server Filesystem Exposed to Unauthorized Access
GHSA-4wmm-6qxj-fpj4
CVE-2026-33238
Summary
An authenticated user can access and see files outside the intended video directory on the AVideo server. This could allow them to access sensitive information. To fix this, update the code to ensure the path is restricted to the allowed directory and use realpath to normalize the path.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wwbn | avideo | <= 14.0 | – |
Original title
WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the pat...
Original description
WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.
ghsa CVSS3.1
4.3
Vulnerability type
CWE-22
Path Traversal
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 19 Mar 2026