WWBN AVideo, an open-source video platform, contains a vulnerability identified as CVE-2026-33354 affecting versions up to and including 26.0. The issue arises in the POST /objects/aVideoEncoder.json.php endpoint, which handles chunked video uploads via a chunkFile parameter. This parameter is intended to reference staged upload chunks but is insufficiently validated. The validation function isValidURLOrPath() permits file paths located in broad server directories such as /var/www/, the application root, cache, tmp, and videos directories, only disallowing files with a .php extension. An authenticated user uploading or editing their own video can exploit this to specify arbitrary local file paths, enabling an arbitrary local file read. The endpoint copies the attacker-specified local file into the public video storage directory, making it accessible for download over HTTP. This results in unauthorized disclosure of potentially sensitive server files. The vulnerability does not allow file modification or deletion, but the confidentiality impact is high. The vulnerability requires the attacker to have valid uploader credentials but does not require additional user interaction. A patch addressing this issue has been committed (commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f). The CVSS v3.1 score is 7.6, reflecting high severity with network attack vector, low attack complexity, privileges required, no user interaction, and high confidentiality impact with limited integrity and availability impact.

This vulnerability poses a significant confidentiality risk to organizations using WWBN AVideo versions up to 26.0. Attackers with authenticated uploader access can read arbitrary files on the server, potentially exposing sensitive configuration files, credentials, private videos, or other critical data stored within the accessible directories. The ability to download these files over HTTP increases the risk of data leakage to unauthorized parties. While the vulnerability does not allow direct code execution or system compromise, the exposure of sensitive files could facilitate further attacks, including privilege escalation or lateral movement within the network. Organizations hosting sensitive or proprietary video content or operating in regulated industries face heightened risk of compliance violations and reputational damage. The requirement for authentication limits the attack surface but does not eliminate risk, especially in environments with weak access controls or compromised uploader accounts. The vulnerability's ease of exploitation and broad directory access make it a critical concern for affected deployments.

Organizations should immediately upgrade WWBN AVideo to a version that includes the patch for CVE-2026-33354 or apply the patch from commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f if available. Until patched, restrict uploader privileges to trusted users only and monitor upload activity for suspicious file path usage. Implement strict access controls and auditing on the server directories accessible by the application to limit exposure. Consider deploying web application firewalls (WAF) with custom rules to detect and block anomalous chunkFile parameter values referencing unexpected paths. Review and harden authentication mechanisms to prevent unauthorized uploader account compromise. Additionally, segregate sensitive files and directories outside the web root or restrict read permissions to minimize the impact of arbitrary file reads. Regularly scan logs for unusual download patterns from the public video storage path. Finally, educate administrators and users about the risks and ensure timely patch management processes are in place.