{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41058", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-16T16:43:03.173Z", "datePublished": "2026-04-21T22:43:17.095Z", "dateUpdated": "2026-04-22T18:35:59.925Z"}, "containers": {"cna": {"title": "AVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2"}, {"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226"}, {"name": "https://github.com/WWBN/AVideo/commit/3c729717c26f160014a5c86b0b6accdbd613e7b2", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/3c729717c26f160014a5c86b0b6accdbd613e7b2"}, {"name": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T22:43:17.095Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix."}], "source": {"advisory": "GHSA-5879-4fmr-xwf2", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:25:21.691980Z", "id": "CVE-2026-41058", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:35:59.925Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41058", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T18:25:21.691980Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:17:10.821Z"}}], "cna": {"title": "AVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo", "source": {"advisory": "GHSA-5879-4fmr-xwf2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 29.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WWBN/AVideo/commit/3c729717c26f160014a5c86b0b6accdbd613e7b2", "name": "https://github.com/WWBN/AVideo/commit/3c729717c26f160014a5c86b0b6accdbd613e7b2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284", "name": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T22:43:17.095Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41058", "state": "PUBLISHED", "dateUpdated": "2026-04-22T18:35:59.925Z", "dateReserved": "2026-04-16T16:43:03.173Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T22:43:17.095Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC38CA07-71C1-4C86-B84A-83CF96367CBA", "versionEndIncluding": "29.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix."}], "id": "CVE-2026-41058", "lastModified": "2026-04-24T15:07:57.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T23:16:21.117", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/3c729717c26f160014a5c86b0b6accdbd613e7b2"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,29.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-22T06:14:29.130953+00:00", "value": {"mitigation_remediation": ["Apply the AVideo patch that implements proper path\u2011traversal validation (commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 or any newer release that includes this fix.", "Restrict access to the CloneSite deleteDump endpoint so that only authorized administrative accounts can trigger it.", "Review and tighten file system permissions for directories used by deleteDump to restrict unlink operations to the application\u2019s process user."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "WWBN AVideo versions 29.0 and earlier are affected. These releases lack the full path\u2011validation logic that was added in commit 3c729717c26f160014a5c86b0b6accdbd613e7b2.", "description_and_impact": "An incomplete patch in AVideo\u2019s CloneSite feature leaves the deleteDump GET parameter without any path\u2011traversal filtering. An attacker who can send crafted URLs that contain \"../../\" sequences can cause the server to execute unlink() on arbitrary files. The result is unauthorized deletion of files on the host, which can lead to data loss, service disruption, or further compromise if critical system files are targeted.", "risk_and_exploitability": "The CVSS score of 8.1 classifies this flaw as high severity, and although EPSS data is not available, the weakness is present in a publicly reachable web endpoint, making remote exploitation feasible. The vulnerability is not listed in the CISA KEV catalog, but the lack of mitigation in affected releases poses a significant risk to exposed installations."}}}}, "created": "2026-04-22T03:30:06.537841+00:00", "updated": "2026-04-22T06:15:10.420632+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}