CVE-2026-33681 is a path traversal vulnerability classified under CWE-22 affecting WWBN AVideo, an open-source video platform. In versions up to and including 26.0, the endpoint objects/pluginRunDatabaseScript.json.php accepts a POST parameter 'name' which is passed directly to the Plugin::getDatabaseFileName() function without any sanitization or validation to prevent directory traversal. This flaw allows an authenticated administrator or an attacker leveraging Cross-Site Request Forgery (CSRF) to specify a path outside the intended plugin directory. By doing so, the attacker can cause the application to read and execute the contents of any install/install.sql file on the filesystem as raw SQL queries against the backend database. This can lead to unauthorized data manipulation, data leakage, or complete compromise of the database integrity and availability. The vulnerability is particularly dangerous because it allows execution of arbitrary SQL commands, potentially enabling privilege escalation, data destruction, or data exfiltration. The vulnerability has a CVSS v3.1 base score of 7.2, indicating high severity, with attack vector network, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. A patch has been committed (commit 81b591c509835505cb9f298aa1162ac64c4152cb) that properly sanitizes the input to prevent path traversal. No known exploits in the wild have been reported as of the publication date.

The impact of CVE-2026-33681 is significant for organizations using WWBN AVideo versions 26.0 and earlier. Successful exploitation allows an attacker with administrative privileges or via CSRF to execute arbitrary SQL scripts, potentially leading to full database compromise. This can result in unauthorized data disclosure, data corruption, deletion, or unauthorized privilege escalation within the application. The ability to execute arbitrary SQL commands can also facilitate lateral movement within the network if the database contains sensitive credentials or configuration data. The availability of the video platform service can be disrupted by destructive SQL commands. Given the role of AVideo in hosting and streaming video content, such compromise could lead to service outages, loss of user trust, and regulatory compliance issues related to data breaches. Organizations relying on AVideo for critical video infrastructure should consider this vulnerability a high risk and prioritize remediation.

Organizations should immediately update WWBN AVideo to a version that includes the patch addressing CVE-2026-33681. If an immediate upgrade is not feasible, restrict access to the administrative interface and the vulnerable endpoint to trusted IP addresses only. Implement strong CSRF protections to prevent unauthorized requests from authenticated administrators. Review and harden file system permissions to ensure that the application user cannot access or execute unintended SQL files outside the plugin directory. Conduct a thorough audit of database logs for any suspicious SQL execution that could indicate exploitation attempts. Additionally, monitor network traffic for unusual POST requests to the pluginRunDatabaseScript.json.php endpoint. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal patterns in the 'name' parameter. Finally, educate administrators about the risks of CSRF and enforce the use of multi-factor authentication to reduce the risk of credential compromise.