{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33354", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.814Z", "datePublished": "2026-03-23T13:58:13.712Z", "dateUpdated": "2026-03-25T14:13:08.253Z"}, "containers": {"cna": {"title": "AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`", "problemTypes": [{"descriptions": [{"cweId": "CWE-73", "lang": "en", "description": "CWE-73: External Control of File Name or Path", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4jw9-5hrc-m4j6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4jw9-5hrc-m4j6"}, {"name": "https://github.com/WWBN/AVideo/commit/59bbd601a3f65a5b18c1d9e4eb11471c0a59214f", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/59bbd601a3f65a5b18c1d9e4eb11471c0a59214f"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T13:58:13.712Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a requester-controlled `chunkFile` parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass `isValidURLOrPath()`. That helper allows files under broad server directories including `/var/www/`, the application root, cache, tmp, and `videos`, only rejecting `.php` files. For an authenticated uploader editing their own video, this becomes an arbitrary local file read. The endpoint copies the attacker-chosen local file into the attacker's public video storage path, after which it can be downloaded over HTTP. Commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f contains a patch for the issue."}], "source": {"advisory": "GHSA-4jw9-5hrc-m4j6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:12:12.119949Z", "id": "CVE-2026-33354", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:13:08.253Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33354", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T14:12:12.119949Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:13:01.251Z"}}], "cna": {"title": "AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`", "source": {"advisory": "GHSA-4jw9-5hrc-m4j6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4jw9-5hrc-m4j6", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4jw9-5hrc-m4j6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/59bbd601a3f65a5b18c1d9e4eb11471c0a59214f", "name": "https://github.com/WWBN/AVideo/commit/59bbd601a3f65a5b18c1d9e4eb11471c0a59214f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a requester-controlled `chunkFile` parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass `isValidURLOrPath()`. That helper allows files under broad server directories including `/var/www/`, the application root, cache, tmp, and `videos`, only rejecting `.php` files. For an authenticated uploader editing their own video, this becomes an arbitrary local file read. The endpoint copies the attacker-chosen local file into the attacker's public video storage path, after which it can be downloaded over HTTP. Commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73: External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T13:58:13.712Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33354", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:13:08.253Z", "dateReserved": "2026-03-18T22:15:11.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T13:58:13.712Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a requester-controlled `chunkFile` parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass `isValidURLOrPath()`. That helper allows files under broad server directories including `/var/www/`, the application root, cache, tmp, and `videos`, only rejecting `.php` files. For an authenticated uploader editing their own video, this becomes an arbitrary local file read. The endpoint copies the attacker-chosen local file into the attacker's public video storage path, after which it can be downloaded over HTTP. Commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f contains a patch for the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, `POST /objects/aVideoEncoder.json.php` acepta un par\u00e1metro `chunkFile` controlado por el solicitante, destinado a fragmentos de carga por etapas. En lugar de restringir esa ruta a ubicaciones de fragmentos generadas por el servidor de confianza, el endpoint acepta rutas arbitrarias del sistema de archivos local que pasan `isValidURLOrPath()`. Esa funci\u00f3n auxiliar permite archivos bajo directorios amplios del servidor, incluyendo `/var/www/`, la ra\u00edz de la aplicaci\u00f3n, cach\u00e9, tmp, y `videos`, solo rechazando archivos `.php`. Para un cargador autenticado que edita su propio video, esto se convierte en una lectura arbitraria de archivos locales. El endpoint copia el archivo local elegido por el atacante en la ruta de almacenamiento de video p\u00fablico del atacante, despu\u00e9s de lo cual puede ser descargado por HTTP. El commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f contiene un parche para el problema."}], "id": "CVE-2026-33354", "lastModified": "2026-03-24T18:57:18.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-23T15:16:33.897", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/59bbd601a3f65a5b18c1d9e4eb11471c0a59214f"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4jw9-5hrc-m4j6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-24T21:50:26.215701+00:00", "value": {"mitigation_remediation": ["Apply the patch from commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f or upgrade to a newer AVideo release", "Verify that the POST endpoint now rejects non\u2011server\u2011generated chunkFile paths and only accepts trusted, server\u2011generated locations", "If an upgrade is not immediately possible, restrict the upload endpoint to server\u2011generated paths or disable it for users without upload privileges", "Monitor application logs for suspicious file copy or download activity"], "summary": {"action": "Apply Patch", "impact": "Information Disclosure via Arbitrary Local File Read"}, "threat_synthesis": {"affected_systems": "The vulnerability affects WWBN AVideo versions up to and including 26.0. The flaw resides in the POST /objects/aVideoEncoder.json.php endpoint used for staged video uploads, where the chunkFile path is not properly restricted to trusted server\u2011generated locations.", "description_and_impact": "An authenticated user with upload privileges can submit a chunkFile parameter that points to any local file on the server. The endpoint accepts the path if it passes a relaxed validation routine, then copies the chosen file into the user\u2019s public video storage and serves it over HTTP. This provides the attacker with the ability to read any file that the web server process can access, including configuration files, credentials, or other sensitive data, thereby compromising confidentiality.", "risk_and_exploitability": "The issue carries a CVSS score of 7.6, indicating high severity. Its EPSS score is below 1%, and it is not listed in the CISA known exploited vulnerabilities catalog, suggesting low current exploitation activity. Once authenticated, the attacker can craft a path to any readable file, copy it into a publicly accessible location, and download it. If file permissions permit, critical files such as /etc/passwd or application configuration files could be exposed."}}}}, "created": "2026-03-24T10:33:50.238686+00:00", "updated": "2026-03-25T21:28:06.315926+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}