Plattform
php
Komponente
wwbn/avideo
Behoben in
26.0.1
26.0.1
CVE-2026-33681 describes a Path Traversal vulnerability discovered in wwbn/avideo. This flaw allows an authenticated administrator, or an attacker via Cross-Site Request Forgery (CSRF), to execute arbitrary SQL queries against the application database. The vulnerability exists in the objects/pluginRunDatabaseScript.json.php endpoint and impacts versions of wwbn/avideo up to and including 26.0. A fix is available via upgrade.
The vulnerability allows an authenticated administrator, or an attacker leveraging Cross-Site Request Forgery (CSRF), to execute arbitrary SQL queries against the application's database. By crafting a malicious name parameter, an attacker can specify a path to any install/install.sql file on the filesystem. The contents of this file are then directly executed as SQL, potentially leading to data breaches, modification of critical database records, or even complete database takeover. This is particularly concerning as it bypasses standard application security controls and allows direct database interaction.
CVE-2026-33681 was publicly disclosed on 2026-03-25. The vulnerability's ease of exploitation, combined with the potential for significant data compromise, warrants careful attention. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests that a PoC is likely to emerge. It is not currently listed on the CISA KEV catalog.
Organizations using wwbn/avideo in environments where administrators have access to the plugin management interface are at risk. Shared hosting environments where multiple users share the same server and database are particularly vulnerable, as an attacker could potentially exploit this vulnerability to compromise other users' data. Legacy configurations with outdated security practices are also at increased risk.
• php: Examine access logs for requests to objects/pluginRunDatabaseScript.json.php with unusual or potentially malicious values in the name parameter. Use grep to search for patterns like ../ or absolute paths.
grep 'pluginRunDatabaseScript.json.php.*../' /var/log/apache2/access.log• generic web: Use curl to test the endpoint with various payloads, observing the response for errors or unexpected behavior.
curl -X POST -d 'name=../../../../etc/passwd' http://your-avideo-server/objects/pluginRunDatabaseScript.json.phpdisclosure
Exploit-Status
EPSS
0.05% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to a patched version of wwbn/avideo that addresses this vulnerability. Until a patch is available, consider implementing temporary workarounds. Restrict access to the objects/pluginRunDatabaseScript.json.php endpoint to trusted administrators only. Implement strict input validation on the name parameter, ensuring it only accepts expected values and does not contain path traversal characters (e.g., '..'). Consider using a Web Application Firewall (WAF) to filter requests containing suspicious patterns. Regularly review and audit plugin configurations to identify potential vulnerabilities.
Actualice AVideo a una versión posterior a la 26.0. La actualización corrige la vulnerabilidad de path traversal en el endpoint `pluginRunDatabaseScript.json.php`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33681 is a Path Traversal vulnerability in wwbn/avideo that allows attackers to execute arbitrary SQL queries against the database by manipulating the 'name' parameter.
You are affected if you are using wwbn/avideo versions 26.0 or earlier. This vulnerability impacts systems where administrators have access to the plugin management interface.
Upgrade to a patched version of wwbn/avideo. As a temporary workaround, implement a WAF rule to block or filter the 'name' parameter.
While no public exploits are currently known, the vulnerability's nature suggests a potential for exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official wwbn/avideo security advisories for the most up-to-date information and patch details. Check their website and relevant security mailing lists.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.