{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33292", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T18:55:47.426Z", "datePublished": "2026-03-22T16:26:08.556Z", "dateUpdated": "2026-03-23T16:04:06.517Z"}, "containers": {"cna": {"title": "AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg"}, {"name": "https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-22T16:26:08.556Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths \u2014 one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) \u2014 creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue."}], "source": {"advisory": "GHSA-pw4v-x838-w5pg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:03:44.291371Z", "id": "CVE-2026-33292", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:04:06.517Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos", "source": {"advisory": "GHSA-pw4v-x838-w5pg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "< 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4", "name": "https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths \u2014 one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) \u2014 creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-22T16:26:08.556Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33292", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:03:44.291371Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-23T16:03:54.354Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33292", "state": "PUBLISHED", "dateUpdated": "2026-03-22T16:26:08.556Z", "dateReserved": "2026-03-18T18:55:47.426Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-22T16:26:08.556Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths \u2014 one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) \u2014 creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue."}], "id": "CVE-2026-33292", "lastModified": "2026-03-23T16:18:24.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-22T17:17:08.753", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-23T17:52:53.816981+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to version 26.0 or later to eliminate the path traversal flaw."], "summary": {"action": "Patch Now", "impact": "Unauthorized Media Access"}, "threat_synthesis": {"affected_systems": "All installations of WWBN AVideo released before version 26.0 are affected. The default vendor/product name used by the CNA is WWBN:AVideo. There is no further sub\u2011version restriction listed, so any legacy deployment older than 26.0 is potentially vulnerable.", "description_and_impact": "WWBN AVideo\u2019s HLS streaming endpoint, located at view/hls.php, contains a path traversal flaw that permits an unauthenticated attacker to bypass authorization checks and stream private or paid video content. The vulnerability arises from inconsistent handling of the videoDirectory GET parameter: one code path truncates the value at the first slash for authorization, while another preserves '..' sequences for file access, creating a split-oracle condition. Consequently, a crafted request can satisfy the authorization check for one video identifier while actually serving the media of another protected video, effectively leaking confidential footage.", "risk_and_exploitability": "The CVSS score of 7.5 signifies a high severity level for confidentiality. The EPSS score is below 1%, indicating that exploitation likelihood is currently low, and the vulnerability is not yet listed in CISA\u2019s KEV catalog. However, the flaw is remotely exploitable from any unauthenticated user capable of issuing HTTP requests to the view/hls.php endpoint with a specially crafted videoDirectory value. The attack vector is likely a direct web request; no special privileges, network access, or additional software is required."}}}}, "created": "2026-03-23T09:45:57.302575+00:00", "updated": "2026-03-25T14:50:33.043568+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}