CVE-2026-33238 — Path Traversal in Avideo

CWE-22 — Path Traversal5 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 85.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

Latest updateMar 19

PublishedMar 21

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDwwbn/avideo< 26.0

▶Packagistwwbn/avideo< 26.0+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration↗2026-03-19

▶

GHSA

AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration↗2026-03-19

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33238 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶