Medium severity5.3GHSA Advisory· Published May 29, 2026· Updated Jun 1, 2026
CVE-2026-46337
CVE-2026-46337
Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content under sibling-app directories reachable via .. traversal. The endpoint requires no authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
WWBN/AVideoPackagist | <= 29.0 | — |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/WWBN/AVideo/security/advisories/GHSA-w4qq-74h6-58wqnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-w4qq-74h6-58wqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-46337ghsaADVISORY
News mentions
1- WWBN AVideo: Nine Bugs Disclosed Together — From Wallet Fraud to RCEVypr Intelligence · May 29, 2026