{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33238", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.508Z", "datePublished": "2026-03-20T23:31:35.134Z", "dateUpdated": "2026-05-06T14:40:15.866Z"}, "containers": {"cna": {"title": "AVideo has a Path Traversal in listFiles.json.php that Enables Server Filesystem Enumeration", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4"}, {"name": "https://github.com/WWBN/AVideo/issues/10403", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/issues/10403"}, {"name": "https://github.com/WWBN/AVideo/commit/870cf24a7632d4f1a5d5549b59103c18f39e3a21", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/870cf24a7632d4f1a5d5549b59103c18f39e3a21"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T17:41:47.151Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server \u2014 including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue."}], "source": {"advisory": "GHSA-4wmm-6qxj-fpj4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:42:00.213134Z", "id": "CVE-2026-33238", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-06T14:40:15.866Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33238", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:42:00.213134Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:42:06.819Z"}}], "cna": {"title": "AVideo has a Path Traversal in listFiles.json.php that Enables Server Filesystem Enumeration", "source": {"advisory": "GHSA-4wmm-6qxj-fpj4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "< 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/issues/10403", "name": "https://github.com/WWBN/AVideo/issues/10403", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WWBN/AVideo/commit/870cf24a7632d4f1a5d5549b59103c18f39e3a21", "name": "https://github.com/WWBN/AVideo/commit/870cf24a7632d4f1a5d5549b59103c18f39e3a21", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server \u2014 including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T17:41:47.151Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33238", "state": "PUBLISHED", "dateUpdated": "2026-05-06T14:40:15.866Z", "dateReserved": "2026-03-18T02:42:27.508Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T23:31:35.134Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server \u2014 including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 26.0, el endpoint 'listFiles.json.php' acepta un par\u00e1metro POST 'path' y lo pasa directamente a 'glob()' sin restringir la ruta a un directorio base permitido. Un cargador autenticado puede recorrer todo el sistema de archivos del servidor al proporcionar rutas absolutas arbitrarias, enumerando nombres de archivo .mp4 y sus rutas absolutas completas del sistema de archivos dondequiera que existan en el servidor \u2014 incluyendo ubicaciones fuera de la ra\u00edz web, como directorios de medios privados o premium. La versi\u00f3n 26.0 contiene un parche para el problema."}], "id": "CVE-2026-33238", "lastModified": "2026-04-13T18:16:29.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-21T00:16:26.700", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/870cf24a7632d4f1a5d5549b59103c18f39e3a21"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/issues/10403"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-23T20:25:30.312614+00:00", "value": {"mitigation_remediation": ["Upgrade to AVideo version\u00a026.0 or later to apply the patch.", "If upgrading is not immediately possible, limit the uploader role\u2019s file system permissions so glob() can only access the intended media directories and deny access to other paths.", "Verify that the server\u2019s web root configuration continues to prevent traversal outside the designated media directories.", "Monitor application logs for unusual file enumeration activity and enforce strict access controls on user roles."], "summary": {"action": "Apply Patch", "impact": "Server Filesystem Enumeration"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WWBN AVideo open\u2011source video platform. Versions prior to 26.0 are impacted; the fix was implemented in version 26.0.", "description_and_impact": "AVideo\u2019s listFiles.json.php endpoint allows an authenticated user to pass any absolute path to the server, which the application then feeds directly to the glob() function. This path\u2011traversal flaw lets the attacker enumerate .mp4 files and discover their full filesystem paths, even outside the web root, exposing private media and other sensitive files.", "risk_and_exploitability": "The CVSS base score is 4.3 and the EPSS score is less than 1%, indicating a low probability of exploitation in the wild. The flaw is limited to authenticated uploaders, so an attacker would need valid credentials. However, the potential for confidential data leakage makes the issue significant enough to address promptly. The vulnerability is not listed in CISA\u2019s KEV catalog."}}}}, "created": "2026-03-23T09:51:32.180533+00:00", "updated": "2026-03-25T14:33:31.988051+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}