Medium severity4.3NVD Advisory· Published Mar 21, 2026· Updated Apr 13, 2026
CVE-2026-33238
CVE-2026-33238
Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the listFiles.json.php endpoint accepts a path POST parameter and passes it directly to glob() without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating .mp4 filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | < 26.0 | 26.0 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/WWBN/AVideo/commit/870cf24a7632d4f1a5d5549b59103c18f39e3a21nvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-4wmm-6qxj-fpj4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33238ghsaADVISORY
- github.com/WWBN/AVideo/issues/10403nvdWEB
News mentions
0No linked articles in our index yet.