CVE-2026-46337: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WWBN AVideo
WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content under sibling-app directories reachable via .. traversal. The endpoint requires no authentication.
AI Analysis
Technical Summary
WWBN AVideo versions up to 29.0 contain an improper limitation of a pathname to a restricted directory (CWE-22) vulnerability. An unauthenticated attacker can exploit this path traversal flaw to access arbitrary image files on the server that the PHP process can read. This includes sensitive images normally protected by access controls within the application. The vulnerability arises because the endpoint handling image requests does not properly restrict directory traversal sequences (e.g., '..'), allowing access beyond intended directories. No authentication is required to exploit this issue.
Potential Impact
An attacker can read arbitrary image files anywhere on disk accessible by the PHP user, including private user-profile photos and other sensitive image content that should be protected by access controls. This leads to unauthorized disclosure of potentially sensitive or private information. There is no indication of code execution or modification, so the impact is limited to information disclosure of image files.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is indicated and no temporary workaround is provided, users should monitor the vendor's communications for updates. Until a fix is available, restricting access to the vulnerable endpoint via network controls or web application firewall rules may help mitigate exposure.
CVE-2026-46337: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content under sibling-app directories reachable via .. traversal. The endpoint requires no authentication.
CVSS v4.0
Score 6.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo versions up to 29.0 contain an improper limitation of a pathname to a restricted directory (CWE-22) vulnerability. An unauthenticated attacker can exploit this path traversal flaw to access arbitrary image files on the server that the PHP process can read. This includes sensitive images normally protected by access controls within the application. The vulnerability arises because the endpoint handling image requests does not properly restrict directory traversal sequences (e.g., '..'), allowing access beyond intended directories. No authentication is required to exploit this issue.
Potential Impact
An attacker can read arbitrary image files anywhere on disk accessible by the PHP user, including private user-profile photos and other sensitive image content that should be protected by access controls. This leads to unauthorized disclosure of potentially sensitive or private information. There is no indication of code execution or modification, so the impact is limited to information disclosure of image files.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is indicated and no temporary workaround is provided, users should monitor the vendor's communications for updates. Until a fix is available, restricting access to the vulnerable endpoint via network controls or web application firewall rules may help mitigate exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T18:37:30.989Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a199940e29bf47b50eaf82a
Added to database: 5/29/2026, 1:48:48 PM
Last enriched: 5/29/2026, 2:05:02 PM
Last updated: 5/29/2026, 8:31:32 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.