CVE-2026-33681 — Path Traversal in Avideo

CWE-22 — Path Traversal4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.1%

top 83.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

PublishedMar 23

Latest updateMar 25

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Co…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDwwbn/avideo26.0

▶Packagistwwbn/avideo26.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name↗2026-03-25

▶

GHSA

AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name↗2026-03-25

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33681 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶