CVE-2026-33238 in AVideo
Summary
by MITRE • 03/21/2026
WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-33238 affects WWBN AVideo, an open source video platform that has been widely adopted for hosting and managing multimedia content. This security flaw represents a critical directory traversal issue that exists in versions prior to 26.0, specifically within the `listFiles.json.php` endpoint implementation. The vulnerability stems from inadequate input validation and path restriction mechanisms that allow malicious actors to exploit the application's file system access controls. The affected endpoint processes a `path` POST parameter and directly passes this parameter to the PHP `glob()` function without implementing any form of base directory restriction or path sanitization. This design flaw creates a severe security risk where authenticated users can manipulate the system to access files and directories beyond the intended scope of the application's operational boundaries.
The technical exploitation of this vulnerability occurs through the manipulation of the `path` parameter in the `listFiles.json.php` endpoint. When an authenticated uploader submits a request containing an absolute path such as `/etc/passwd` or `/var/www/html/private/media/`, the application processes this input directly through the `glob()` function without any validation or sanitization. The `glob()` function in PHP performs pattern matching against file system paths and returns matching file names, which in this case allows attackers to enumerate not only `.mp4` files but potentially any files accessible to the web server process. This enumeration capability extends to sensitive directories outside the web root including private media repositories, configuration files, and other protected resources that should remain inaccessible to unauthorized users. The vulnerability operates at the core of the application's file system interaction model, fundamentally undermining the intended access controls and privilege separation mechanisms.
The operational impact of this vulnerability is severe and multifaceted, potentially exposing organizations to significant data breaches and system compromise. An authenticated attacker with uploader privileges can systematically traverse the entire server filesystem, discovering and potentially accessing sensitive files including but not limited to configuration files containing database credentials, private keys, application secrets, and user data. The enumeration of `.mp4` files across the entire file system creates a comprehensive map of media assets, potentially exposing premium content, private videos, or copyrighted material that should remain protected. This vulnerability directly violates several security principles including the principle of least privilege and defense in depth, as it allows a user with limited upload permissions to gain extensive system reconnaissance capabilities. The impact extends beyond simple information disclosure to potentially enable further exploitation such as privilege escalation, lateral movement within the network, or the discovery of additional vulnerabilities through the enumeration of system resources.
The security implications of this vulnerability align with CWE-22 (Improper Limiting of a Pathname to a Restricted Directory) and represent a classic example of path traversal attacks that have been documented extensively in security literature. From an ATT&CK framework perspective, this vulnerability maps to T1083 (File and Directory Discovery) and potentially T1566 (Phishing) if the attacker uses the discovered information to craft more sophisticated social engineering campaigns. The vulnerability also demonstrates characteristics of T1059 (Command and Scripting Interpreter) and T1078 (Valid Accounts) as it leverages authenticated user access to escalate privileges and gain unauthorized access to system resources. Organizations utilizing affected versions of AVideo should immediately implement mitigations including updating to version 26.0 or applying the patch that restricts the `path` parameter to a predefined base directory. Additionally, network segmentation, access controls, and monitoring should be implemented to detect and prevent exploitation attempts, as this vulnerability can be used to establish persistent access to the system through the enumeration of sensitive files and directories.
The remediation approach for this vulnerability requires immediate application of the patch available in version 26.0, which implements proper path validation and restriction mechanisms. The fix should ensure that all paths passed to the `glob()` function are validated against a predetermined whitelist of allowed directories or are strictly confined within a designated base directory. This approach aligns with security best practices for preventing path traversal vulnerabilities and should be implemented as a priority for all affected installations. Organizations should also conduct comprehensive security reviews of their file system access controls and authentication mechanisms to ensure that similar vulnerabilities do not exist in other components of their infrastructure. The vulnerability serves as a reminder of the critical importance of input validation and proper access control implementation in web applications, particularly those handling user uploads and file system operations.