CVE-2026-33238 is a path traversal vulnerability classified under CWE-22 affecting WWBN AVideo, an open-source video platform. The vulnerability exists in versions prior to 26.0 within the listFiles.json.php endpoint, which accepts a POST parameter named 'path'. This parameter is passed directly to the PHP glob() function without any validation or restriction to a designated base directory. As a result, an authenticated user with uploader privileges can supply arbitrary absolute paths to traverse the server’s filesystem beyond the intended media directories. This enables the attacker to enumerate all .mp4 files on the server, including those stored outside the web root, such as private or premium content directories. The vulnerability does not allow file modification or deletion but exposes sensitive information about file locations and media assets, which could facilitate further attacks or unauthorized access. The flaw requires authentication but no additional user interaction, and the attack surface is limited to authenticated uploaders. The issue was addressed in version 26.0 by implementing proper path restrictions to confine file enumeration to allowed directories. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 4.3, reflecting a medium severity with network attack vector, low attack complexity, and limited confidentiality impact.

The primary impact of this vulnerability is unauthorized information disclosure. By enumerating .mp4 files and their absolute paths, an attacker can gain insights into the server’s directory structure and media assets, including private or premium content that should not be publicly accessible. This could lead to privacy violations, intellectual property theft, or facilitate targeted attacks such as social engineering or privilege escalation. While the vulnerability does not allow direct modification or deletion of files, the disclosed information could be leveraged in multi-stage attacks. Organizations hosting sensitive or proprietary video content on affected versions of WWBN AVideo are at risk of exposing valuable media assets. The requirement for authentication limits the attack to users with uploader privileges, reducing the scope but still posing a significant risk if credentials are compromised or insider threats exist. The vulnerability could undermine customer trust and lead to regulatory compliance issues if sensitive content is exposed.

The most effective mitigation is to upgrade WWBN AVideo to version 26.0 or later, where the vulnerability is patched by restricting the 'path' parameter to an allowed base directory. Until upgrading is possible, organizations should implement strict access controls on uploader accounts to minimize the risk of credential compromise. Additionally, web application firewalls (WAFs) can be configured to detect and block suspicious path traversal patterns in POST requests to listFiles.json.php. Logging and monitoring of file enumeration activities by authenticated users should be enhanced to detect anomalous behavior. Code-level mitigations include sanitizing and validating the 'path' parameter to ensure it cannot reference directories outside the intended media folders. Restricting filesystem permissions to prevent the web server user from accessing sensitive directories can also reduce impact. Regular security audits and penetration testing should verify that no other endpoints expose similar path traversal flaws.