High severity8.1NVD Advisory· Published Apr 21, 2026· Updated Apr 24, 2026
CVE-2026-41058
CVE-2026-41058
Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite deleteDump parameter does not apply path traversal filtering, allowing unlink() of arbitrary files via ../../ sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 29.0 | — |
Affected products
2Patches
Vulnerability mechanics
References
7- github.com/WWBN/AVideo/commit/3c729717c26f160014a5c86b0b6accdbd613e7b2nvdPatchWEB
- github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284nvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2nvdExploitMitigationVendor AdvisoryWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-5879-4fmr-xwf2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33293ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41058ghsaADVISORY
News mentions
0No linked articles in our index yet.