VYPR
Medium severity4.3NVD Advisory· Published Mar 21, 2026· Updated Apr 13, 2026

CVE-2026-33238

CVE-2026-33238

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, the listFiles.json.php endpoint accepts a path POST parameter and passes it directly to glob() without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating .mp4 filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
wwbn/avideoPackagist
< 26.026.0

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.