Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
CVE-2026-33681 describes a Path Traversal vulnerability discovered in wwbn/avideo. This flaw allows an authenticated administrator, or an attacker via Cross-Site Request Forgery (CSRF), to execute arbitrary SQL queries against the application database. The vulnerability exists in the objects/pluginRunDatabaseScript.json.php endpoint and impacts versions of wwbn/avideo up to and including 26.0. A fix is available via upgrade.
The primary impact of CVE-2026-33681 is the potential for unauthorized access and modification of sensitive data within the application database. By crafting a malicious POST request with a specially crafted name parameter, an attacker can bypass path traversal sanitization and execute arbitrary SQL commands. This could lead to data breaches, data corruption, or even complete compromise of the application server. The ability to execute SQL queries directly against the database represents a significant security risk, potentially allowing attackers to extract credentials, modify user data, or gain control of the application's functionality. This vulnerability shares similarities with other SQL injection vulnerabilities where attackers can leverage database access for broader system compromise.
CVE-2026-33681 was publicly disclosed on 2026-03-25. The vulnerability's ease of exploitation, combined with the potential for significant data compromise, suggests a medium probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the vulnerability’s nature makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33681 is to upgrade to a patched version of wwbn/avideo. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the objects/pluginRunDatabaseScript.json.php endpoint or to filter the name parameter, ensuring it only contains expected values. Additionally, review and restrict access to the plugin directory to limit the potential impact of a successful attack. Thoroughly test any configuration changes in a non-production environment before deploying them to production. After upgrading, confirm the vulnerability is resolved by attempting to access the vulnerable endpoint with a malicious name parameter and verifying that the request is rejected.
Actualice AVideo a una versión posterior a la 26.0. La actualización corrige la vulnerabilidad de path traversal en el endpoint `pluginRunDatabaseScript.json.php`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33681 is a Path Traversal vulnerability in wwbn/avideo that allows attackers to execute arbitrary SQL queries against the database by manipulating the 'name' parameter.
You are affected if you are using wwbn/avideo versions 26.0 or earlier. This vulnerability impacts systems where administrators have access to the plugin management interface.
Upgrade to a patched version of wwbn/avideo. As a temporary workaround, implement a WAF rule to block or filter the 'name' parameter.
While no public exploits are currently known, the vulnerability's nature suggests a potential for exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official wwbn/avideo security advisories for the most up-to-date information and patch details. Check their website and relevant security mailing lists.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.