CVE-2026-33493 — Path Traversal in Avideo

CWE-22 — Path Traversal4 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.1%

top 76.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

Latest updateMar 20

PublishedMar 23

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was hardened with a `realpath()` + directory prefix check to restrict paths to the `videos/` directory, `import.json.php` performs no directory restriction. This allows an authenticated user with upload permission to: (1) steal …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶NVDwwbn/avideo26.0

▶Packagistwwbn/avideo26.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter↗2026-03-20

▶

OSV

AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter↗2026-03-20

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33493 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶