CVE-2025-26752 is a path traversal vulnerability identified in the videowhisper Broadcast Live Video software, affecting versions up to and including 6.2. The vulnerability arises from improper limitation of pathname inputs, allowing attackers to craft malicious requests that traverse directories beyond the intended restricted folder. This can lead to unauthorized access to arbitrary files on the server hosting the application. The flaw does not require authentication, meaning any remote attacker can exploit it without valid credentials. The vulnerability could be leveraged to read sensitive configuration files, source code, or other critical data, potentially leading to further attacks such as credential theft or system compromise. Although no public exploits have been reported yet, the nature of path traversal vulnerabilities makes them relatively straightforward to exploit. The lack of a CVSS score indicates that the vulnerability is newly published and pending further analysis. The vulnerability affects a niche but globally used live streaming integration product, which is often deployed in media, education, and entertainment sectors. The absence of official patches at the time of disclosure necessitates immediate defensive measures by users of the software.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information due to the ability to access files outside the intended directories. This can compromise confidentiality by exposing configuration files, credentials, or private data stored on the server. Integrity could also be at risk if attackers modify accessible files, although the vulnerability description focuses on path traversal for reading files. Availability impact is generally low unless attackers use the access to disrupt services indirectly. The ease of exploitation without authentication increases the threat level, potentially allowing widespread scanning and exploitation by attackers. Organizations relying on videowhisper Broadcast Live Video for critical live streaming services could face data breaches, reputational damage, and regulatory consequences if sensitive information is exposed. The vulnerability may also serve as a foothold for further attacks within the network.

1. Immediately restrict file system permissions for the web server user to limit access to only necessary directories and files. 2. Implement strict input validation and sanitization on all pathname parameters to prevent directory traversal sequences such as '../'. 3. Employ web application firewalls (WAFs) with rules designed to detect and block path traversal attempts targeting the affected endpoints. 4. Monitor server logs for unusual file access patterns or repeated traversal attempts to detect exploitation attempts early. 5. If possible, isolate the videowhisper application environment to minimize the impact of a potential breach. 6. Stay updated with vendor advisories and apply official patches or updates as soon as they become available. 7. Consider temporary disabling or restricting access to vulnerable features until a patch is released. 8. Conduct regular security assessments and penetration testing focused on file system access controls.