Plattform
php
Komponente
wwbn/avideo
Behoben in
26.0.1
26.0.1
CVE-2026-33493 describes a Path Traversal vulnerability discovered in wwbn/avideo, allowing unauthorized file access. This flaw enables authenticated users with upload permissions to potentially steal private video files or read sensitive files adjacent to video files. The vulnerability impacts versions of wwbn/avideo up to 26.0, and a patch is expected to be released by the vendor.
The primary impact of CVE-2026-33493 is the ability for an authenticated attacker to read arbitrary files on the server. The vulnerability arises from insufficient validation of the fileURI parameter within the objects/import.json.php endpoint. While the endpoint checks that the URI ends in .mp4, it lacks a crucial realpath()-based directory restriction similar to the hardened objects/listFiles.json.php endpoint. This allows an attacker to bypass the intended security controls and access files outside of the intended videos/ directory. Attackers could steal sensitive user data contained in .txt, .html, or .htm files, potentially exposing personally identifiable information (PII) or confidential business data. The blast radius extends to any files accessible by the web server process, depending on its permissions.
CVE-2026-33493 was publicly disclosed on 2026-03-20. The vulnerability's simplicity and the lack of robust input validation suggest a moderate probability of exploitation. Currently, no public proof-of-concept (PoC) code has been released, but the ease of exploitation makes it a potential target for opportunistic attackers. It is not currently listed on the CISA KEV catalog.
Organizations using wwbn/avideo for video management, particularly those with shared hosting environments or legacy configurations, are at risk. Users with upload permissions within the application are especially vulnerable, as they are the ones who can exploit this vulnerability to access sensitive files.
• php / server:
grep -r 'fileURI' /var/www/avideo/• php / server:
find /var/www/avideo/ -name 'import.json.php'• generic web:
curl -I http://your-avideo-server/objects/import.json.php?fileURI=../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33493 is to upgrade to a patched version of wwbn/avideo. Until a patch is available, consider implementing temporary workarounds. Restrict access to the objects/import.json.php endpoint to only trusted users. Implement a Web Application Firewall (WAF) rule to block requests with suspicious fileURI values, specifically those containing directory traversal sequences (e.g., ../). Carefully review file permissions on the server to minimize the potential impact of unauthorized file access. Monitor web server logs for unusual file access attempts. After upgrade, confirm the vulnerability is resolved by attempting to import a file with a malicious fileURI and verifying that access is denied.
Actualice AVideo a una versión posterior a la 26.0. La vulnerabilidad se soluciona en el commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78. Esto evitará el recorrido de directorios y la posible lectura/eliminación de archivos arbitrarios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33493 is a Path Traversal vulnerability in wwbn/avideo versions 26.0 and earlier, allowing authenticated users to read arbitrary files.
You are affected if you are using wwbn/avideo version 26.0 or earlier and have not yet applied a patch.
Upgrade to a patched version of wwbn/avideo as soon as it becomes available. Until then, implement WAF rules or restrict access to the vulnerable endpoint.
No active exploitation has been confirmed at this time, but the vulnerability's ease of exploitation suggests it could become a target.
Please refer to the wwbn/avideo security advisories page for updates and official information regarding CVE-2026-33493.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.