The vulnerability identified as CVE-2026-33681 in WWBN AVideo (up to version 26.0) is a path traversal flaw categorized under CWE-22. The issue arises because the 'objects/pluginRunDatabaseScript.json.php' endpoint accepts a POST parameter named 'name' which is passed directly to the Plugin::getDatabaseFileName() function without any validation or sanitization to prevent directory traversal. This allows an attacker with authenticated admin privileges or an attacker leveraging Cross-Site Request Forgery (CSRF) to manipulate the 'name' parameter to traverse outside the intended plugin directory. By doing so, the attacker can specify any 'install/install.sql' file on the filesystem, causing the application to execute its contents as raw SQL queries against the backend database. This can lead to unauthorized data manipulation, data leakage, or denial of service through database corruption. The vulnerability has a CVSS v3.1 score of 7.2, reflecting high severity due to its impact on confidentiality, integrity, and availability, combined with low attack complexity but requiring high privileges. A patch has been committed (commit 81b591c509835505cb9f298aa1162ac64c4152cb) that adds proper path traversal sanitization to mitigate this risk.

The exploitation of this vulnerability can have severe consequences for organizations using WWBN AVideo versions 26.0 or earlier. Attackers can execute arbitrary SQL commands, potentially leading to unauthorized data disclosure, modification, or deletion. This compromises the confidentiality, integrity, and availability of the video platform's database, which may contain sensitive user data, video content metadata, and configuration information. The ability to execute arbitrary SQL can also facilitate privilege escalation or persistent backdoors within the application. Since the vulnerability requires admin-level authentication or CSRF exploitation, the risk is elevated in environments where admin credentials are weak or where CSRF protections are insufficient. Organizations relying on AVideo for video content delivery, especially those hosting sensitive or proprietary content, face significant operational and reputational risks if exploited.

Organizations should immediately update WWBN AVideo to a version that includes the patch for CVE-2026-33681 or apply the patch from commit 81b591c509835505cb9f298aa1162ac64c4152cb. In addition, it is critical to enforce strong authentication and authorization controls to limit admin access. Implement robust CSRF protections to prevent unauthorized requests from being executed by authenticated admins. Review and restrict file system permissions to ensure that the application process cannot access or execute unintended SQL files outside the plugin directory. Conduct regular code audits and penetration testing focusing on input validation and path traversal vulnerabilities. Monitoring and logging access to the vulnerable endpoint can help detect exploitation attempts. Finally, educate administrators about phishing and social engineering risks that could lead to credential compromise.