WWBN AVideo is an open source video platform that, in versions up to and including 26.0, contains a path traversal vulnerability identified as CVE-2026-33493. The vulnerability is located in the objects/import.json.php endpoint, which processes a POST parameter named fileURI. This parameter is intended to specify a video file to import and is superficially validated by a regex ensuring the filename ends with .mp4. However, unlike the objects/listFiles.json.php endpoint that enforces strict directory restrictions using realpath() and directory prefix checks to confine file operations within the videos/ directory, import.json.php lacks such safeguards. Consequently, an authenticated user with upload permissions can manipulate the fileURI parameter to traverse directories outside the intended scope. This allows the attacker to perform several malicious actions: (1) steal private video files belonging to other users by importing them into their own account, violating confidentiality; (2) read adjacent .txt, .html, or .htm files located near any .mp4 file on the filesystem, potentially exposing sensitive information; and (3) delete .mp4 and adjacent text files if the web server process has write permissions, impacting data integrity. The vulnerability does not affect availability and requires authentication but no additional user interaction. The issue has been addressed in a patch (commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78) that presumably adds proper path validation and directory restrictions. The CVSS v3.1 base score is 7.1, indicating a high severity due to the ease of exploitation and significant confidentiality impact.

The primary impact of this vulnerability is unauthorized access to private video content and related files, leading to significant confidentiality breaches. Organizations using WWBN AVideo could face data leakage of sensitive or proprietary video content, which may include intellectual property, personal data, or confidential communications. The ability to delete files also introduces a risk to data integrity, potentially causing loss of valuable content and disrupting service continuity. Since exploitation requires authentication with upload permissions, insider threats or compromised user accounts pose a significant risk vector. The lack of user interaction lowers the barrier for exploitation once credentials are obtained. This vulnerability could undermine user trust and lead to regulatory compliance issues, especially in sectors handling sensitive data such as education, media, or corporate training. Although availability is not directly impacted, the deletion of files could indirectly disrupt service operations. Organizations worldwide relying on this platform for video hosting and sharing must prioritize patching to prevent exploitation.

Organizations should immediately upgrade WWBN AVideo to a version that includes the patch addressing CVE-2026-33493. If an upgrade is not immediately feasible, implement the following mitigations: (1) Restrict upload permissions strictly to trusted users and regularly audit user roles to minimize the number of accounts that can exploit this vulnerability. (2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious path traversal patterns in the fileURI parameter. (3) Monitor server logs for unusual file access or deletion activities, especially involving .mp4 and adjacent text files outside the videos directory. (4) Harden filesystem permissions to ensure the web server process has the minimum necessary write access, preventing unauthorized file deletions. (5) Conduct regular security assessments and penetration tests focusing on file upload and import functionalities. (6) Educate users about credential security to reduce the risk of account compromise. (7) Consider isolating the video storage directory with additional access controls or containerization to limit the impact of potential exploits.