Plattform
php
Komponente
wwbn/avideo
Behoben in
26.0.1
25.0.1
CVE-2026-33293 describes a Path Traversal vulnerability discovered in wwbn/avideo versions up to 25.0. This flaw allows authenticated attackers to delete arbitrary files on the server by manipulating the deleteDump parameter within the plugin/CloneSite/cloneServer.json.php file. Successful exploitation can result in a complete denial of service or potentially enable further malicious actions by removing critical application files. A fix is available in version 26.0.
The deleteDump parameter in plugin/CloneSite/cloneServer.json.php is vulnerable to path traversal. Because this parameter is passed directly to the unlink() function without proper sanitization, an attacker possessing valid clone credentials can craft malicious input containing path traversal sequences (e.g., ../../). This allows them to delete any file accessible to the web server user, including critical configuration files like configuration.php. Deletion of such files can result in a complete denial of service, preventing the application from functioning. Furthermore, removing security-critical files could enable subsequent attacks, granting the attacker a foothold on the system. The impact is significant due to the potential for complete service disruption and the possibility of escalating privileges.
While no public exploits have been reported for CVE-2026-33293, the vulnerability's ease of exploitation and potential impact warrant careful attention. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be easily exploited once a PoC is released. Given the potential for DoS and privilege escalation, organizations should prioritize patching or implementing mitigating controls.
Organizations utilizing wwbn/avideo versions 25.0 and earlier, particularly those with publicly accessible clone functionality, are at risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as an attacker could potentially exploit this vulnerability to impact other users' data and configurations.
• wordpress / composer / npm:
grep -r 'unlink($_GET["deleteDump"]);' /var/www/avideo/• generic web:
curl -I 'http://your-avideo-site.com/plugin/CloneSite/cloneServer.json.php?deleteDump=../../../../etc/passwd' | grep '403 Forbidden'disclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33293 is to upgrade to version 26.0 of wwbn/avideo, which includes the necessary path sanitization to prevent arbitrary file deletion. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences in the deleteDump parameter. Additionally, restrict file system permissions for the web server user to minimize the potential damage from a successful attack. Regularly review and audit file system permissions to ensure they adhere to the principle of least privilege. After upgrading, confirm the fix by attempting to access and delete a non-critical file using a path traversal sequence; the operation should fail with an appropriate error.
Actualice AVideo a la versión 26.0 o posterior. Esta versión corrige la vulnerabilidad de path traversal en el plugin CloneSite, impidiendo la eliminación arbitraria de archivos en el servidor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33293 is a Path Traversal vulnerability affecting wwbn/avideo versions up to 25.0, allowing attackers to delete arbitrary files on the server.
You are affected if you are using wwbn/avideo version 25.0 or earlier. Upgrade to version 26.0 to resolve the vulnerability.
Upgrade to version 26.0 of wwbn/avideo. As a temporary workaround, restrict access to the vulnerable file and implement WAF rules.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official wwbn/avideo security advisory for detailed information and updates regarding CVE-2026-33293.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.