High severityNVD Advisory· Published Mar 22, 2026· Updated Mar 24, 2026
AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter
CVE-2026-33293
Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the deleteDump parameter in plugin/CloneSite/cloneServer.json.php is passed directly to unlink() without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., ../../) to delete arbitrary files on the server, including critical application files such as configuration.php, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 25.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-xmjm-86qv-g226ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33293ghsaADVISORY
- github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.