CVE-2026-33293 — Path Traversal in Avideo

CWE-22 — Path Traversal5 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.0%

top 85.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

PublishedMar 22

Latest updateApr 14

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files.…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶NVDwwbn/avideo< 26.0

▶Packagistwwbn/avideo29.0+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal↗2026-04-14

▶

OSV

AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter↗2026-03-19

▶

GHSA

AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter↗2026-03-19

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33293 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶