CVE-2026-33238: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WWBN AVideo
WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.
AI Analysis
Technical Summary
WWBN AVideo before version 26.0 contains a CWE-22 path traversal vulnerability in the listFiles.json.php endpoint. The endpoint takes a user-supplied path parameter and uses it in a glob() call without validating or restricting the path to an allowed directory. This allows an authenticated uploader to supply arbitrary absolute paths, enabling traversal of the server filesystem and enumeration of .mp4 files and their full paths outside the intended directory scope. The vulnerability is addressed in version 26.0 by restricting path input to prevent traversal.
Potential Impact
An authenticated uploader can enumerate .mp4 files anywhere on the server filesystem, including sensitive directories outside the web root such as private or premium media folders. This exposure of file names and absolute paths could aid an attacker in further attacks or unauthorized access to media content. The vulnerability does not allow modification or deletion of files, nor does it impact availability. The CVSS v3.1 base score is 4.3 (medium severity), reflecting limited confidentiality impact and low complexity of exploitation with required privileges.
Mitigation Recommendations
Upgrade WWBN AVideo to version 26.0 or later, which contains an official patch restricting the path parameter to an allowed base directory, preventing path traversal. No other mitigations are indicated by the vendor advisory. Patch status is confirmed by the vendor's versioning information.
CVE-2026-33238: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WWBN AVideo
Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.
CVSS v3.1
Score 4.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo before version 26.0 contains a CWE-22 path traversal vulnerability in the listFiles.json.php endpoint. The endpoint takes a user-supplied path parameter and uses it in a glob() call without validating or restricting the path to an allowed directory. This allows an authenticated uploader to supply arbitrary absolute paths, enabling traversal of the server filesystem and enumeration of .mp4 files and their full paths outside the intended directory scope. The vulnerability is addressed in version 26.0 by restricting path input to prevent traversal.
Potential Impact
An authenticated uploader can enumerate .mp4 files anywhere on the server filesystem, including sensitive directories outside the web root such as private or premium media folders. This exposure of file names and absolute paths could aid an attacker in further attacks or unauthorized access to media content. The vulnerability does not allow modification or deletion of files, nor does it impact availability. The CVSS v3.1 base score is 4.3 (medium severity), reflecting limited confidentiality impact and low complexity of exploitation with required privileges.
Mitigation Recommendations
Upgrade WWBN AVideo to version 26.0 or later, which contains an official patch restricting the path parameter to an allowed base directory, preventing path traversal. No other mitigations are indicated by the vendor advisory. Patch status is confirmed by the vendor's versioning information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-18T02:42:27.508Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69bdda56b462d409683a8be3
Added to database: 3/20/2026, 11:37:58 PM
Last enriched: 5/7/2026, 1:49:04 AM
Last updated: 6/18/2026, 8:34:41 AM
Views: 63
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.