VYPR
← All advisories
Medium severity6.9GHSA Advisory· Published May 18, 2026

AVideo: Authenticated Arbitrary File Read in view/update.php

CVE-2026-45731

Description

### Summary view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process — especially valuable on misconfigured deployments where /etc/passwd, .env, or other sibling-app configs are reachable relative to the AVideo directory.

### Details view/update.php, lines 134-145 (excerpt):

if (!empty($_POST['updateFile'])) { $dir = Video::getStoragePath() . "cache"; rrmdir($dir); /* …unrelated cache-clear… */

if (file_exists($logfile . "log")) { unlink($logfile . "log"); // ... } $lines = file("{$global['systemRootPath']}updatedb/{$_POST['updateFile']}"); The User::isAdmin() and adminSecurityCheck(true) guards at lines 12-15 enforce admin auth, but $_POST['updateFile'] is concatenated into a path without any sanitization. file() returns the file's contents as an array of lines; the script subsequently iterates them and echoes the SQL it would run.

PoC

POST /view/update.php Content-Type: application/x-www-form-urlencoded

updateFile=../../../../etc/passwd Result: the script attempts to load /etc/passwd (relative to {systemRootPath}updatedb/), echoing each line in the migration-runner HTML output. $_POST['updateFile'] traversal accepted, no extension guard, no in-array whitelist.

Attempting ../../../../proc/self/environ similarly reveals web-server environment variables on Linux.

Impact

Verified on the current master branch of WWBN/AVideo (commit bc0340662…). Likely affected: every release where view/update.php contains the $_POST['updateFile'] consumer — pattern predates 2024.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AVideo `view/update.php` lets an authenticated admin supply an unsanitized relative path to PHP's `file()`, enabling arbitrary file read on the server.

Vulnerability

The view/update.php script in AVideo (open-source video platform) reads the $_POST['updateFile'] parameter and uses it directly in a path concatenation: file("{$global['systemRootPath']}updatedb/{$_POST['updateFile']}"). No sanitization, extension guard, or whitelist is applied to the user-supplied path. The affected code is present on the current master branch (commit bc0340662...) and likely in every release where the $_POST['updateFile'] consumer exists, predating 2024 [1][2][3]. The script requires administrator authentication (User::isAdmin() and adminSecurityCheck() on lines 12-15) [2][3].

Exploitation

An authenticated administrator can send a POST request to /view/update.php with a Content-Type of application/x-www-form-urlencoded and set updateFile to a path traversal string such as ../../../../etc/passwd. The relative path is appended to the updatedb/ directory, allowing the attacker to read arbitrary text files reachable from the web-server process. For example, ../../../../proc/self/environ reveals web-server environment variables on Linux. The script then echoes each line of the file in the migration-runner HTML output, effectively exfiltrating the contents [2][3].

Impact

Successful exploitation results in an arbitrary file read by an authenticated administrator, leading to information disclosure. Sensitive files such as /etc/passwd, .env configuration files, or sibling application configs that are reachable relative to the AVideo directory can be exposed. The attacker gains the ability to read the contents of any text file the web-server process can access, which may include credentials, secrets, or other sensitive data [1][2][3].

Mitigation

As of the available references, no official fix or patched version has been announced for AVideo. The advisory notes that the vulnerable code pattern predates 2024 and is present in the current master branch. Until a patch is released, administrators should restrict access to view/update.php to only trusted users and ensure the web server's document root is properly configured to prevent path traversal. No workaround is provided in the published sources [1][2][3].

References
  1. GitHub - WWBN/AVideo: Create Your Own Broadcast Network With AVideo Platform Open-Source. OAVP OVP
  2. CVE-2026-45731 - GitHub Advisory Database
  3. Authenticated Arbitrary File Read in view/update.php

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • WWBN/AvideoGHSA2 versions
    <= 29.0+ 1 more
    • (no CPE)range: <= 29.0
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.