CVE-2026-41062: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WWBN AVideo
CVE-2026-41062 is a path traversal vulnerability in WWBN AVideo versions 29. 0 and below. The vulnerability arises because the fix for directory traversal only inspects the URL path component for '.. ' sequences, but the downstream function processes the full URL including the query string. This allows an attacker to bypass the check by placing traversal payloads in the query string, potentially reading arbitrary files on the server. The issue is addressed in a later commit (bd11c16ec894698e54e2cdae25026c61ad1ed441). The CVSS score is 6. 5, indicating medium severity, with impact limited to confidentiality loss without integrity or availability impact. No official patch or vendor advisory is currently provided in the data.
AI Analysis
Technical Summary
WWBN AVideo versions 29.0 and earlier contain a path traversal vulnerability (CWE-22) in the file objects/aVideoEncoderReceiveImage.json.php. The initial fix only checked the URL path component for '..' sequences, but the downstream function try_get_contents_from_local() uses the full URL string including the query string to extract file paths. This discrepancy allows an attacker to craft a URL with traversal sequences in the query string to bypass the check and read arbitrary files from the server filesystem. A subsequent commit (bd11c16ec894698e54e2cdae25026c61ad1ed441) contains an updated fix addressing this issue.
Potential Impact
An attacker with at least low privileges can exploit this vulnerability to read arbitrary files on the server hosting WWBN AVideo, potentially exposing sensitive information. The CVSS vector indicates network attack vector, low attack complexity, low privileges required, no user interaction needed, unchanged scope, and high confidentiality impact. There is no impact on integrity or availability. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability is fixed in a later commit (bd11c16ec894698e54e2cdae25026c61ad1ed441), so upgrading to a version including this fix is recommended once available. Until then, restrict access to trusted users and monitor for suspicious file access patterns related to URL query strings containing traversal sequences.
CVE-2026-41062: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WWBN AVideo
Description
CVE-2026-41062 is a path traversal vulnerability in WWBN AVideo versions 29. 0 and below. The vulnerability arises because the fix for directory traversal only inspects the URL path component for '.. ' sequences, but the downstream function processes the full URL including the query string. This allows an attacker to bypass the check by placing traversal payloads in the query string, potentially reading arbitrary files on the server. The issue is addressed in a later commit (bd11c16ec894698e54e2cdae25026c61ad1ed441). The CVSS score is 6. 5, indicating medium severity, with impact limited to confidentiality loss without integrity or availability impact. No official patch or vendor advisory is currently provided in the data.
CVSS v3.1
Score 6.5medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo versions 29.0 and earlier contain a path traversal vulnerability (CWE-22) in the file objects/aVideoEncoderReceiveImage.json.php. The initial fix only checked the URL path component for '..' sequences, but the downstream function try_get_contents_from_local() uses the full URL string including the query string to extract file paths. This discrepancy allows an attacker to craft a URL with traversal sequences in the query string to bypass the check and read arbitrary files from the server filesystem. A subsequent commit (bd11c16ec894698e54e2cdae25026c61ad1ed441) contains an updated fix addressing this issue.
Potential Impact
An attacker with at least low privileges can exploit this vulnerability to read arbitrary files on the server hosting WWBN AVideo, potentially exposing sensitive information. The CVSS vector indicates network attack vector, low attack complexity, low privileges required, no user interaction needed, unchanged scope, and high confidentiality impact. There is no impact on integrity or availability. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability is fixed in a later commit (bd11c16ec894698e54e2cdae25026c61ad1ed441), so upgrading to a version including this fix is recommended once available. Until then, restrict access to trusted users and monitor for suspicious file access patterns related to URL query strings containing traversal sequences.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-16T16:43:03.173Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8053519fe3cd2cd036933
Added to database: 4/21/2026, 11:16:05 PM
Last enriched: 4/29/2026, 11:14:37 AM
Last updated: 6/6/2026, 2:26:24 AM
Views: 61
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.