{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33493", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:59:08.887Z", "datePublished": "2026-03-23T15:52:33.788Z", "dateUpdated": "2026-03-23T16:33:28.572Z"}, "containers": {"cna": {"title": "AVideo has a Path Traversal in import.json.php that Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-83xq-8jxj-4rxm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-83xq-8jxj-4rxm"}, {"name": "https://github.com/WWBN/AVideo/commit/e110ff542acdd7e3b81bdd02b8402b9f6a61ad78", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/e110ff542acdd7e3b81bdd02b8402b9f6a61ad78"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T15:52:33.788Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was hardened with a `realpath()` + directory prefix check to restrict paths to the `videos/` directory, `import.json.php` performs no directory restriction. This allows an authenticated user with upload permission to: (1) steal any other user's private video files by importing them into their own account, (2) read `.txt`/`.html`/`.htm` files adjacent to any `.mp4` file on the filesystem, and (3) delete `.mp4` and adjacent text files if writable by the web server process. Commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 contains a patch."}], "source": {"advisory": "GHSA-83xq-8jxj-4rxm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:33:19.961226Z", "id": "CVE-2026-33493", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:33:28.572Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33493", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:33:19.961226Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:33:25.613Z"}}], "cna": {"title": "AVideo has a Path Traversal in import.json.php that Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter", "source": {"advisory": "GHSA-83xq-8jxj-4rxm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-83xq-8jxj-4rxm", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-83xq-8jxj-4rxm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/e110ff542acdd7e3b81bdd02b8402b9f6a61ad78", "name": "https://github.com/WWBN/AVideo/commit/e110ff542acdd7e3b81bdd02b8402b9f6a61ad78", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was hardened with a `realpath()` + directory prefix check to restrict paths to the `videos/` directory, `import.json.php` performs no directory restriction. This allows an authenticated user with upload permission to: (1) steal any other user's private video files by importing them into their own account, (2) read `.txt`/`.html`/`.htm` files adjacent to any `.mp4` file on the filesystem, and (3) delete `.mp4` and adjacent text files if writable by the web server process. Commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T15:52:33.788Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33493", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:33:28.572Z", "dateReserved": "2026-03-20T16:59:08.887Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T15:52:33.788Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was hardened with a `realpath()` + directory prefix check to restrict paths to the `videos/` directory, `import.json.php` performs no directory restriction. This allows an authenticated user with upload permission to: (1) steal any other user's private video files by importing them into their own account, (2) read `.txt`/`.html`/`.htm` files adjacent to any `.mp4` file on the filesystem, and (3) delete `.mp4` and adjacent text files if writable by the web server process. Commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint 'objects/import.json.php' acepta un par\u00e1metro POST 'fileURI' controlado por el usuario con solo una verificaci\u00f3n de expresi\u00f3n regular de que el valor termina en '.mp4'. A diferencia de 'objects/listFiles.json.php', que fue reforzado con una verificaci\u00f3n de prefijo de directorio + 'realpath()' para restringir las rutas al directorio 'videos/', 'import.json.php' no realiza ninguna restricci\u00f3n de directorio. Esto permite a un usuario autenticado con permiso de carga: (1) robar los archivos de video privados de cualquier otro usuario import\u00e1ndolos a su propia cuenta, (2) leer archivos '.txt' / '.html' / '.htm' adyacentes a cualquier archivo '.mp4' en el sistema de archivos, y (3) eliminar archivos '.mp4' y archivos de texto adyacentes si son escribibles por el proceso del servidor web. El commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 contiene un parche."}], "id": "CVE-2026-33493", "lastModified": "2026-03-24T18:17:24.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-23T16:16:49.433", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/e110ff542acdd7e3b81bdd02b8402b9f6a61ad78"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-83xq-8jxj-4rxm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-24T19:28:41.958379+00:00", "value": {"mitigation_remediation": ["Apply the latest patch to import.json.php (commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 or newer version excluding the vulnerability).", "Verify that the endpoint now uses realpath() and directory prefix checks to restrict file access to the videos/ directory.", "If an immediate patch is not possible, remove or limit upload permissions for users to prevent unauthorized use of import.json.php.", "Monitor server logs for unusual fileURI parameters or repeated attempts to read non\u2011video files."], "summary": {"action": "Apply patch", "impact": "Unauthorized file read, deletion, and private video theft"}, "threat_synthesis": {"affected_systems": "The affected product is WWBN AVideo. All releases up to and including version 26.0 are vulnerable. Users running those versions of the platform are susceptible to the described attacks. The issue was known to the developers and a patch commit (e110ff542acdd7e3b81bdd02b8402b9f6a61ad78) addresses the flaw.", "description_and_impact": "The vulnerability resides in the import.json.php endpoint, where a user-controlled fileURI POST parameter is only validated for a .mp4 suffix. This oversight allows an authenticated user with upload permissions to supply arbitrary file paths, enabling the reading of any file on the server\u2019s filesystem that is adjacent to an .mp4 file. As a result, attackers can steal other users\u2019 private videos, exfiltrate sensitive text or HTML files located next to video files, and delete both .mp4 files and their neighboring files if the web server process has write permission. The weakness is a classic path\u2011traversal flaw (CWE\u201122).", "risk_and_exploitability": "The CVSS score of 7.1 indicates a medium\u2011to\u2011high severity level. The EPSS score of less than 1% suggests that the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. However, the requirement for authenticated upload permission means that the attacker must be a recognized user, which could be feasible in environments with lax account controls. The lack of proper directory restrictions is the core exploit vector, and once an authenticated user exploits the flaw, they can perform the full set of actions described above. Prompt remediation is therefore advisable."}}}}, "created": "2026-03-24T10:33:38.576827+00:00", "updated": "2026-03-25T20:37:29.815865+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}