Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
25.0.1
CVE-2026-33292 describes a Path Traversal vulnerability within the wwbn/avideo platform. This flaw allows unauthenticated attackers to bypass access controls and stream private or paid video content. The vulnerability impacts versions of wwbn/avideo up to and including 25.0, and a fix is available in version 26.0.
The core of this vulnerability lies in a split-oracle condition within the view/hls.php endpoint. The videoDirectory parameter is used differently for authorization and file access. Authorization truncates the path at the first /, while file access preserves .. sequences, enabling traversal. This allows an attacker to craft a malicious request that passes authorization checks while accessing unauthorized video files. The potential impact is significant, as attackers can gain access to sensitive or premium video content without proper authentication, potentially leading to data breaches, financial loss, and reputational damage.
CVE-2026-33292 was publicly disclosed on 2026-03-19. Currently, there are no known public proof-of-concept exploits available. The vulnerability's simplicity suggests a potential for rapid exploitation once a PoC is released. Its inclusion in the NVD is pending, and CISA has not yet assessed it for EPSS scoring.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33292 is to upgrade to version 26.0 of wwbn/avideo, which contains the fix. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing .. sequences in the videoDirectory parameter. Additionally, carefully review and sanitize all user-supplied input to prevent path traversal attempts. After upgrading, confirm the fix by attempting to access a private video using a crafted path traversal request; it should be denied.
Actualice AVideo a la versión 26.0 o superior. Esta versión contiene la corrección para la vulnerabilidad de path traversal en el endpoint HLS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33292 is a Path Traversal vulnerability in wwbn/avideo that allows unauthenticated access to private videos due to a split-oracle condition in the videoDirectory parameter.
You are affected if you are using wwbn/avideo version 25.0 or earlier. Upgrade to version 26.0 to mitigate the vulnerability.
The recommended fix is to upgrade to version 26.0 of wwbn/avideo. As a temporary workaround, implement a WAF rule to filter requests containing .. sequences.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's simplicity suggests a potential for rapid exploitation.
Refer to the official wwbn/avideo security advisory for detailed information and updates regarding CVE-2026-33292.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.