Plattform
php
Komponente
avideo
Behoben in
26.0
CVE-2026-33238 describes a Path Traversal vulnerability affecting WWBN AVideo versions before 26.0. This flaw allows authenticated uploaders to traverse the server's filesystem by manipulating the path POST parameter in the listFiles.json.php endpoint. Successful exploitation could lead to the exposure of sensitive media files and other data stored on the server.
The primary impact of this vulnerability is the potential for unauthorized access to files outside the intended web root. An attacker, after authenticating as a uploader, can craft a malicious POST request to listFiles.json.php containing an absolute path. The glob() function then processes this path without proper validation, revealing the contents of any directory matching the provided pattern (in this case, .mp4 files). This could expose private media, configuration files, or other sensitive data. The blast radius extends to any location on the server accessible by the web server process, making it a significant risk for systems with broad permissions. While not a direct Remote Code Execution (RCE) vulnerability, the ability to enumerate files can be a precursor to further attacks.
CVE-2026-33238 was published on March 20, 2026. Its severity is rated as Medium (CVSS 4.3). No public Proof-of-Concept (PoC) exploits have been observed at the time of writing. The vulnerability is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog, and its EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The definitive mitigation for CVE-2026-33238 is to upgrade WWBN AVideo to version 26.0 or later, which includes a patch for this vulnerability. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to listFiles.json.php with suspicious path parameters containing absolute paths or directory traversal sequences (e.g., ../). Additionally, restrict the permissions of the web server user to only the necessary directories. Review and harden the authentication mechanisms to prevent unauthorized uploaders from gaining access to the system.
Aktualisieren Sie AVideo auf Version 26.0 oder höher, um die Directory Traversal-Schwachstelle zu beheben. Das Update behebt das Fehlen der Pfadvalidierung im Endpunkt `listFiles.json.php` und verhindert so, dass Angreifer auf sensible Dateien im Dateisystem des Servers zugreifen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33238 is a vulnerability in WWBN AVideo versions before 26.0 that allows authenticated users to traverse the server's filesystem via the listFiles.json.php endpoint, potentially exposing sensitive files.
You are affected if you are running WWBN AVideo version 0.0.0 through 25.9. Check your version and upgrade to 26.0 or later to mitigate the risk.
The recommended fix is to upgrade to WWBN AVideo version 26.0 or later. This version includes a patch that addresses the Path Traversal vulnerability.
Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-33238, but it's crucial to apply the patch proactively.
Refer to the official WWBN AVideo security advisories on their website or GitHub repository for the most up-to-date information and patch details.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.