{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33293", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T18:55:47.426Z", "datePublished": "2026-03-22T16:35:16.181Z", "dateUpdated": "2026-03-24T17:48:13.332Z"}, "containers": {"cna": {"title": "AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226"}, {"name": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-22T16:35:16.181Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue."}], "source": {"advisory": "GHSA-xmjm-86qv-g226", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T17:47:31.294806Z", "id": "CVE-2026-33293", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T17:48:13.332Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33293", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T17:47:31.294806Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T17:48:05.525Z"}}], "cna": {"title": "AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter", "source": {"advisory": "GHSA-xmjm-86qv-g226", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "< 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284", "name": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-22T16:35:16.181Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33293", "state": "PUBLISHED", "dateUpdated": "2026-03-24T17:48:13.332Z", "dateReserved": "2026-03-18T18:55:47.426Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-22T16:35:16.181Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 26.0, el par\u00e1metro 'deleteDump' en 'plugin/CloneSite/cloneServer.json.php' se pasa directamente a 'unlink()' sin ninguna sanitizaci\u00f3n de ruta. Un atacante con credenciales de clonaci\u00f3n v\u00e1lidas puede usar secuencias de salto de ruta (p. ej., '../../') para eliminar archivos arbitrarios en el servidor, incluyendo archivos cr\u00edticos de la aplicaci\u00f3n como 'configuration.php', causando una denegaci\u00f3n de servicio completa o habilitando ataques adicionales al eliminar archivos cr\u00edticos para la seguridad. La versi\u00f3n 26.0 corrige el problema."}], "id": "CVE-2026-33293", "lastModified": "2026-03-24T21:14:05.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-22T17:17:08.950", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-24T22:23:18.106645+00:00", "value": {"mitigation_remediation": ["Update AVideo to version 26.0 or later, which removes the vulnerable deleteDump handling", "Verify that the cloneSite plugin is not exposed to untrusted users by restricting clone feature access or disabling the feature if not required", "If an upgrade is delayed, remove or rename the configuration files such as configuration.php and place them in a protected location to mitigate accidental deletion", "Apply general security best practices: enforce least\u2011privilege for clone users, monitor file integrity, and regularly scan for unintended file modifications"], "summary": {"action": "Patch immediately", "impact": "Arbitrary file deletion and potential denial of service"}, "threat_synthesis": {"affected_systems": "AVideo, an open\u2011source video hosting platform distributed by WWBN, is affected for all releases prior to version 26.0. Users operating any pre\u201126.0 build are susceptible to this flaw.", "description_and_impact": "The vulnerability resides in the deleteDump parameter of the cloneSite plugin for the AVideo video platform. This parameter is passed directly to the unlink() function without sanitization, enabling an attacker who gains valid clone credentials to inject path traversal sequences such as ../../. This allows deletion of any file accessible to the web server, including critical configuration files like configuration.php. The consequence is loss of service or facilitation of further attacks through removal of security\u2011critical components.", "risk_and_exploitability": "The CVSS base score of 8.1 places this issue in the high\u2011severity range. An EPSS score below 1\u202f% indicates a low probability of exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, an attacker must possess clone credentials to craft the malicious deleteDump request. Once authenticated, the path traversal can be used to delete arbitrary files, causing immediate denial of service or enabling cascading attacks through removal of security files. Given the high impact and the need for authenticated access, the risk is considerable for any organization running vulnerable AVideo instances."}}}}, "created": "2026-03-23T09:45:55.535515+00:00", "updated": "2026-03-25T14:50:30.968494+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}