WWBN AVideo is an open-source video platform that, in versions up to and including 26.0, contains a vulnerability identified as CVE-2026-33354, categorized under CWE-73 (External Control of File Name or Path). The vulnerability exists in the `POST /objects/aVideoEncoder.json.php` endpoint, which accepts a `chunkFile` parameter intended for uploading video chunks in stages. Instead of restricting this parameter to server-generated chunk file locations, the application accepts arbitrary local filesystem paths that pass the `isValidURLOrPath()` validation. This validation is insufficiently restrictive, allowing paths under broad server directories such as `/var/www/`, the application root, cache, tmp, and `videos` directories, while only excluding files with a `.php` extension. An authenticated user with uploader privileges can exploit this flaw to read arbitrary local files by specifying their paths in the `chunkFile` parameter. The endpoint then copies the chosen local file into the attacker's public video storage directory, making the file accessible for download over HTTP. This results in an arbitrary local file read vulnerability, potentially exposing sensitive server files. The vulnerability requires authentication but no additional user interaction. The patch addressing this issue was committed in commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f. The CVSS v3.1 score is 7.6, reflecting a high-severity issue with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality (high), integrity (low), and availability (low). No known exploits are currently reported in the wild.

The primary impact of CVE-2026-33354 is the unauthorized disclosure of sensitive local files on the server hosting the WWBN AVideo platform. Attackers who gain authenticated uploader access can read arbitrary files within broad server directories, potentially exposing configuration files, credentials, logs, or other sensitive data. This can lead to further compromise, including privilege escalation, lateral movement, or data leakage. The ability to copy files into publicly accessible video storage paths exacerbates the risk by making sensitive data accessible over HTTP to any external party. Although the vulnerability does not allow execution of arbitrary code or direct modification of files, the confidentiality breach alone can have severe consequences for organizations relying on AVideo for media hosting, especially if sensitive internal files are exposed. The requirement for authentication limits the attack surface but does not eliminate risk, as attackers may obtain credentials through phishing, credential stuffing, or insider threats. The vulnerability affects availability and integrity to a lesser extent, as it primarily involves file reading and copying rather than deletion or modification.

Organizations using WWBN AVideo should immediately upgrade to a version that includes the patch for CVE-2026-33354, as indicated by commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f or later releases. Until patching is possible, administrators should restrict uploader privileges strictly to trusted users and monitor upload activity for suspicious use of the `chunkFile` parameter. Implementing web application firewall (WAF) rules to detect and block requests attempting to specify unusual or sensitive file paths in the `chunkFile` parameter can provide temporary mitigation. Additionally, server-side hardening should be applied by restricting file system permissions to limit access to sensitive directories from the application user context. Logging and alerting on anomalous file access patterns related to video uploads can help detect exploitation attempts. Finally, reviewing and tightening the validation logic for file paths in upload endpoints to enforce strict whitelisting of allowed directories and file types is critical to prevent similar issues.