Plattform
php
Komponente
wwbn/avideo
Behoben in
26.0.1
25.0.1
CVE-2026-33292 describes a Path Traversal vulnerability within the wwbn/avideo platform. This flaw allows unauthenticated attackers to bypass access controls and stream private or paid video content. The vulnerability impacts versions of wwbn/avideo up to and including 25.0, and a fix is available in version 26.0.
The primary impact of CVE-2026-33292 is the unauthorized exposure of private or paid video content. Attackers can exploit the split-oracle condition in the view/hls.php endpoint by manipulating the videoDirectory parameter to traverse directories and access videos they are not authorized to view. This could lead to data breaches, financial losses for content providers, and reputational damage. The lack of authentication required to trigger the vulnerability significantly broadens the potential attack surface, making it accessible to a wide range of malicious actors.
CVE-2026-33292 was publicly disclosed on 2026-03-19. There is no indication of active exploitation or inclusion on the CISA KEV catalog at this time. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature suggests that a simple POC could be developed relatively easily, increasing the risk of exploitation.
Organizations utilizing wwbn/avideo for video streaming, particularly those with private or paid content, are at risk. Shared hosting environments where multiple users share the same instance of wwbn/avideo are especially vulnerable, as an attacker could potentially exploit this vulnerability to access content belonging to other users.
• php: Examine access logs for requests containing .. sequences in the videoDirectory parameter of the view/hls.php endpoint.
• php: Search for code patterns related to divergent path handling of the videoDirectory parameter, specifically where one path truncates at / and another preserves .. sequences.
• generic web: Use curl to test for path traversal by appending ../ sequences to the videoDirectory parameter and observing the response.
curl 'http://your-avideo-instance/view/hls.php?videoDirectory=../../../../etc/passwd'disclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-33292 is to immediately upgrade to version 26.0 of wwbn/avideo, which addresses the split-oracle condition. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing malicious videoDirectory parameters, specifically those containing .. sequences. Thoroughly review and restrict access permissions to video directories to minimize the potential impact of a successful exploit. After upgrading, confirm the fix by attempting to access a private video using a crafted URL with a path traversal payload; the request should be denied.
Actualice AVideo a la versión 26.0 o superior. Esta versión contiene la corrección para la vulnerabilidad de path traversal en el endpoint HLS.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33292 is a Path Traversal vulnerability in wwbn/avideo that allows unauthenticated access to private videos due to a split-oracle condition in the videoDirectory parameter.
You are affected if you are using wwbn/avideo version 25.0 or earlier. Upgrade to version 26.0 to mitigate the vulnerability.
The recommended fix is to upgrade to version 26.0 of wwbn/avideo. As a temporary workaround, implement a WAF rule to filter requests containing .. sequences.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's simplicity suggests a potential for rapid exploitation.
Refer to the official wwbn/avideo security advisory for detailed information and updates regarding CVE-2026-33292.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.