WWBN AVideo is an open-source video platform that prior to version 26.0 contained a critical path traversal vulnerability (CVE-2026-33292) in its HTTP Live Streaming (HLS) endpoint located at view/hls.php. The vulnerability stems from improper validation and inconsistent handling of the videoDirectory GET parameter. Specifically, the authorization logic truncates the parameter at the first '/' segment, effectively checking permissions against one video path, while the file access logic uses the full parameter including any '..' sequences, allowing directory traversal outside the intended restricted directory. This split-oracle condition enables an unauthenticated attacker to bypass authorization controls and stream any private or paid video hosted on the platform. The vulnerability does not require authentication or user interaction, making it easily exploitable remotely over the network. The CVSS 3.1 base score is 7.5 (high), reflecting the ease of exploitation and the high confidentiality impact due to unauthorized access to protected video content. Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk to organizations relying on AVideo for secure video streaming. The issue was addressed in version 26.0 by correcting the pathname validation to ensure consistent authorization and file access checks, eliminating the path traversal vector.

This vulnerability allows attackers to bypass access controls and stream private or paid videos without authorization, leading to significant confidentiality breaches. Organizations using affected versions risk unauthorized disclosure of proprietary, sensitive, or monetized video content, potentially resulting in financial losses, reputational damage, and violation of privacy or licensing agreements. Since the exploit requires no authentication or user interaction, it can be automated and scaled, increasing the risk of widespread unauthorized access. Content providers, educational institutions, media companies, and any entity relying on AVideo for secure content delivery are particularly vulnerable. Additionally, the exposure of private content could lead to further attacks if sensitive information is embedded within videos or metadata. The availability and integrity of the platform are not directly impacted, but the confidentiality breach alone is critical.

The primary mitigation is to upgrade WWBN AVideo to version 26.0 or later, where the vulnerability is fixed. For organizations unable to immediately upgrade, implement strict web application firewall (WAF) rules to detect and block requests containing path traversal sequences such as '..' in the videoDirectory parameter. Conduct thorough input validation and sanitization on all user-supplied parameters, ensuring consistent handling between authorization and file access logic. Restrict direct access to the HLS streaming endpoint to authenticated users where possible, adding an additional layer of access control. Monitor logs for suspicious access patterns targeting the view/hls.php endpoint. Employ network segmentation and least privilege principles to limit exposure of the video streaming infrastructure. Finally, conduct regular security audits and penetration testing focused on path traversal and access control vulnerabilities to proactively identify similar issues.