Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
25.0.1
CVE-2026-33293 describes a Path Traversal vulnerability discovered in wwbn/avideo versions up to 25.0. This flaw allows authenticated attackers to delete arbitrary files on the server by manipulating the deleteDump parameter within the plugin/CloneSite/cloneServer.json.php file. Successful exploitation can result in a complete denial of service or potentially enable further malicious actions by removing critical application files. A fix is available in version 26.0.
The vulnerability lies in the lack of proper path sanitization when processing the deleteDump parameter in plugin/CloneSite/cloneServer.json.php. An attacker possessing valid clone credentials can craft a malicious request containing path traversal sequences, such as ../../, to navigate outside the intended directory and target sensitive files. This includes critical configuration files like configuration.php, which, if deleted, would render the application unusable. Beyond denial of service, the removal of security-critical files could expose the system to further compromise, allowing an attacker to escalate their privileges or inject malicious code. The impact is significant due to the potential for complete system disruption and the possibility of broader security breaches.
CVE-2026-33293 was publicly disclosed on 2026-03-19. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability highlights the importance of rigorous input validation and path sanitization in web applications to prevent unauthorized file access and manipulation.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33293 is to upgrade to version 26.0 of wwbn/avideo, which includes the necessary path sanitization fix. If an immediate upgrade is not feasible, consider implementing a temporary workaround by restricting access to the plugin/CloneSite/cloneServer.json.php file to authorized users only. Web application firewalls (WAFs) can also be configured to block requests containing suspicious path traversal sequences. Regularly review and audit the application's file permissions to ensure that sensitive files are protected. After upgrading, confirm the fix by attempting a clone operation with a crafted path traversal payload and verifying that the request is properly sanitized and fails to delete unintended files.
Actualice AVideo a la versión 26.0 o posterior. Esta versión corrige la vulnerabilidad de path traversal en el plugin CloneSite, impidiendo la eliminación arbitraria de archivos en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33293 is a Path Traversal vulnerability affecting wwbn/avideo versions up to 25.0, allowing attackers to delete arbitrary files on the server.
You are affected if you are using wwbn/avideo version 25.0 or earlier. Upgrade to version 26.0 to resolve the vulnerability.
Upgrade to version 26.0 of wwbn/avideo. As a temporary workaround, restrict access to the vulnerable file and implement WAF rules.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official wwbn/avideo security advisory for detailed information and updates regarding CVE-2026-33293.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.