High severity8.1NVD Advisory· Published Apr 21, 2026· Updated Apr 24, 2026
CVE-2026-41058
CVE-2026-41058
Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite deleteDump parameter does not apply path traversal filtering, allowing unlink() of arbitrary files via ../../ sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 29.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/WWBN/AVideo/commit/3c729717c26f160014a5c86b0b6accdbd613e7b2nvdPatchWEB
- github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284nvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-5879-4fmr-xwf2nvdExploitMitigationVendor AdvisoryWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-5879-4fmr-xwf2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33293ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41058ghsaADVISORY
News mentions
0No linked articles in our index yet.