CVE-2026-33238: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WWBN AVideo
WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.
AI Analysis
Technical Summary
WWBN AVideo before version 26.0 contains a CWE-22 path traversal vulnerability in the `listFiles.json.php` endpoint. The endpoint accepts a `path` parameter from authenticated uploaders and passes it unchecked to the glob() function, allowing traversal of arbitrary absolute paths on the server filesystem. This enables enumeration of .mp4 files and their full paths outside the intended restricted directory, potentially exposing private or premium media files. The vulnerability is addressed in version 26.0 by restricting the path parameter to an allowed base directory.
Potential Impact
An authenticated uploader can enumerate .mp4 files anywhere on the server filesystem, including outside the web root and in sensitive directories such as private or premium media folders. This exposure is limited to information disclosure of file names and paths; there is no indication of code execution or file modification. The CVSS score is 4.3 (medium severity), reflecting limited confidentiality impact without integrity or availability effects.
Mitigation Recommendations
Upgrade WWBN AVideo to version 26.0 or later, which contains an official patch restricting the `path` parameter to an allowed base directory and prevents path traversal. No other mitigations are indicated or required once the patch is applied.
CVE-2026-33238: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WWBN AVideo
Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo before version 26.0 contains a CWE-22 path traversal vulnerability in the `listFiles.json.php` endpoint. The endpoint accepts a `path` parameter from authenticated uploaders and passes it unchecked to the glob() function, allowing traversal of arbitrary absolute paths on the server filesystem. This enables enumeration of .mp4 files and their full paths outside the intended restricted directory, potentially exposing private or premium media files. The vulnerability is addressed in version 26.0 by restricting the path parameter to an allowed base directory.
Potential Impact
An authenticated uploader can enumerate .mp4 files anywhere on the server filesystem, including outside the web root and in sensitive directories such as private or premium media folders. This exposure is limited to information disclosure of file names and paths; there is no indication of code execution or file modification. The CVSS score is 4.3 (medium severity), reflecting limited confidentiality impact without integrity or availability effects.
Mitigation Recommendations
Upgrade WWBN AVideo to version 26.0 or later, which contains an official patch restricting the `path` parameter to an allowed base directory and prevents path traversal. No other mitigations are indicated or required once the patch is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-18T02:42:27.508Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69bdda56b462d409683a8be3
Added to database: 3/20/2026, 11:37:58 PM
Last enriched: 4/14/2026, 11:28:43 AM
Last updated: 4/30/2026, 11:05:45 AM
Views: 34
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.