Medium severity4.3NVD Advisory· Published Mar 21, 2026· Updated Apr 13, 2026
CVE-2026-33238
CVE-2026-33238
Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the listFiles.json.php endpoint accepts a path POST parameter and passes it directly to glob() without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating .mp4 filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | < 26.0 | 26.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/WWBN/AVideo/commit/870cf24a7632d4f1a5d5549b59103c18f39e3a21nvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-4wmm-6qxj-fpj4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33238ghsaADVISORY
- github.com/WWBN/AVideo/issues/10403nvdWEB
News mentions
0No linked articles in our index yet.