Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
CVE-2026-33493 describes a Path Traversal vulnerability discovered in wwbn/avideo, allowing unauthorized file access. This flaw enables authenticated users with upload permissions to potentially steal private video files or read sensitive files adjacent to video assets. The vulnerability impacts versions of wwbn/avideo up to 26.0, and a patch is expected to be released by the vendor.
The primary impact of CVE-2026-33493 is the ability for an authenticated attacker to read arbitrary files on the server. The vulnerability lies within the objects/import.json.php endpoint, where the fileURI parameter lacks proper directory restriction. An attacker can craft a malicious fileURI value to bypass the regex check and access files outside the intended videos/ directory. This could lead to the exposure of sensitive data such as user configuration files, application code, or even other users' private video content. The potential for lateral movement is limited to the attacker's ability to leverage the accessed files for further exploitation, but the blast radius could be significant depending on the data exposed.
CVE-2026-33493 was publicly disclosed on 2026-03-20. The vulnerability is not currently listed on KEV, and its EPSS score is pending evaluation. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation suggests that it could become a target for opportunistic attackers.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33493 is to upgrade to a patched version of wwbn/avideo as soon as it becomes available. Until a patch is applied, consider implementing temporary workarounds. These may include restricting access to the objects/import.json.php endpoint to trusted users only, or implementing a Web Application Firewall (WAF) rule to block requests with suspicious fileURI values. Carefully review and strengthen input validation on all file upload endpoints. After upgrade, confirm the vulnerability is resolved by attempting to access a file outside the intended videos/ directory via the objects/import.json.php endpoint and verifying that access is denied.
Actualice AVideo a una versión posterior a la 26.0. La vulnerabilidad se soluciona en el commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78. Esto evitará el recorrido de directorios y la posible lectura/eliminación de archivos arbitrarios.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33493 is a Path Traversal vulnerability in wwbn/avideo versions 26.0 and earlier, allowing authenticated users to read arbitrary files.
You are affected if you are using wwbn/avideo version 26.0 or earlier and have not yet applied a patch.
Upgrade to a patched version of wwbn/avideo as soon as it becomes available. Until then, implement WAF rules or restrict access to the vulnerable endpoint.
No active exploitation has been confirmed at this time, but the vulnerability's ease of exploitation suggests it could become a target.
Please refer to the wwbn/avideo security advisories page for updates and official information regarding CVE-2026-33493.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.