CVE-2026-40909: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WWBN AVideo
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then written verbatim to that path via `fwrite()` at line 40. An admin attacker (or any user who can CSRF an admin, since no CSRF token is checked and cookies use `SameSite=None`) can traverse out of the `locale/` directory and write arbitrary `.php` files to any writable location on the filesystem, achieving Remote Code Execution. Commit 57f89ffbc27d37c9d9dd727212334846e78ac21a fixes the issue.
AI Analysis
Technical Summary
WWBN AVideo versions up to 29.0 contain a path traversal vulnerability (CWE-22) in the locale save endpoint (`locale/save.php`). The vulnerability arises because the `$_POST['flag']` parameter is directly concatenated into a file path without sanitization, and the `$_POST['code']` parameter is written to that path. An attacker with admin privileges or the ability to CSRF an admin (due to missing CSRF token and permissive cookie settings) can traverse directories and write arbitrary PHP files to any writable location, enabling remote code execution. A fix was introduced in commit 57f89ffbc27d37c9d9dd727212334846e78ac21a, but no official patch or advisory details are provided in the input.
Potential Impact
Successful exploitation allows an attacker with admin privileges or the ability to CSRF an admin to write arbitrary PHP files outside the intended directory, resulting in remote code execution with the privileges of the web server user. This can lead to full compromise of the affected system. The CVSS score is 8.7 (high severity), reflecting the ease of exploitation and the impact on confidentiality and integrity.
Mitigation Recommendations
A fix is available as indicated by the referenced commit that sanitizes the file path input to prevent path traversal. Users should upgrade to a version including this fix or apply the patch from commit 57f89ffbc27d37c9d9dd727212334846e78ac21a. Until patched, restrict admin access and implement CSRF protections to reduce risk. Patch status is not yet confirmed via an official vendor advisory; check the vendor's resources for updated remediation guidance.
CVE-2026-40909: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then written verbatim to that path via `fwrite()` at line 40. An admin attacker (or any user who can CSRF an admin, since no CSRF token is checked and cookies use `SameSite=None`) can traverse out of the `locale/` directory and write arbitrary `.php` files to any writable location on the filesystem, achieving Remote Code Execution. Commit 57f89ffbc27d37c9d9dd727212334846e78ac21a fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo versions up to 29.0 contain a path traversal vulnerability (CWE-22) in the locale save endpoint (`locale/save.php`). The vulnerability arises because the `$_POST['flag']` parameter is directly concatenated into a file path without sanitization, and the `$_POST['code']` parameter is written to that path. An attacker with admin privileges or the ability to CSRF an admin (due to missing CSRF token and permissive cookie settings) can traverse directories and write arbitrary PHP files to any writable location, enabling remote code execution. A fix was introduced in commit 57f89ffbc27d37c9d9dd727212334846e78ac21a, but no official patch or advisory details are provided in the input.
Potential Impact
Successful exploitation allows an attacker with admin privileges or the ability to CSRF an admin to write arbitrary PHP files outside the intended directory, resulting in remote code execution with the privileges of the web server user. This can lead to full compromise of the affected system. The CVSS score is 8.7 (high severity), reflecting the ease of exploitation and the impact on confidentiality and integrity.
Mitigation Recommendations
A fix is available as indicated by the referenced commit that sanitizes the file path input to prevent path traversal. Users should upgrade to a version including this fix or apply the patch from commit 57f89ffbc27d37c9d9dd727212334846e78ac21a. Until patched, restrict admin access and implement CSRF protections to reduce risk. Patch status is not yet confirmed via an official vendor advisory; check the vendor's resources for updated remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T16:37:22.767Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7d78519fe3cd2cdf5b338
Added to database: 4/21/2026, 8:01:09 PM
Last enriched: 4/21/2026, 8:16:10 PM
Last updated: 4/21/2026, 9:17:09 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.