CVE-2026-33493 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was hardened with a `realpath()` + directory prefix check to restrict paths to the `videos/` directory, `import.json.php` performs no directory restriction. This allows an authenticated user with upload permission to: (1) steal any other user's private video files by importing them into their own account, (2) read `.txt`/`.html`/`.htm` files adjacent to any `.mp4` file on the filesystem, and (3) delete `.mp4` and adjacent text files if writable by the web server process. Commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 contains a patch.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-33493 resides within the WWBN AVideo platform, specifically affecting versions up to and including 26.0. This issue manifests in the `objects/import.json.php` endpoint which processes user-controlled input through a `fileURI` POST parameter. The security flaw stems from inadequate input validation mechanisms that only employ a simple regex check to verify if the provided URI ends with the `.mp4` file extension. This minimal validation approach creates a critical security gap that bypasses proper path restriction controls implemented in similar endpoints within the same platform.
The technical implementation of this vulnerability demonstrates a clear deviation from secure coding practices and represents a classic case of insufficient input validation leading to path traversal and arbitrary file access. Unlike the `objects/listFiles.json.php` endpoint which properly implements a `realpath()` function combined with directory prefix validation to restrict file operations to the designated `videos/` directory, the import endpoint completely omits such protective measures. This disparity in security controls creates an exploitable condition where authenticated users with upload privileges can manipulate the system to access files outside the intended scope. The vulnerability architecture follows patterns commonly associated with CWE-22 (Path Traversal) and CWE-73 (External Control of File Name or Path) classifications, where user input directly influences file system operations without proper sanitization.
The operational impact of this vulnerability extends beyond simple data access to encompass potential data integrity and confidentiality breaches. An authenticated user with upload permissions can execute three distinct malicious operations through the compromised endpoint. First, they can steal private video content belonging to other users by importing these files into their own account, effectively bypassing the platform's access controls and user isolation mechanisms. Second, the vulnerability enables reading of adjacent text-based files such as `.txt` and `.html` files that exist in the same directory as target `.mp4` files, potentially exposing sensitive configuration data, user information, or system documentation. Third, the attacker can delete both `.mp4` video files and their associated text files if the web server process has write permissions to these locations, creating a destructive capability that can result in permanent data loss and system disruption.
The attack surface for this vulnerability is particularly concerning given that it requires only authentication with upload privileges, which is often granted to legitimate users within content management systems. This means that both malicious insiders and compromised user accounts could exploit the vulnerability without requiring elevated privileges. The security implications align with ATT&CK technique T1074.001 (Data Staged) and T1566.001 (Phishing) as attackers could leverage this to harvest sensitive data from other users or manipulate content. The patch referenced in commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 addresses the core issue by implementing proper path restriction controls that align with the security model used in the `listFiles.json.php` endpoint, ensuring that all file operations are properly confined to the intended directory structure.
Organizations deploying WWBN AVideo should immediately implement mitigation strategies including updating to patched versions, implementing additional access controls for upload functionality, and monitoring for unauthorized file operations. The vulnerability serves as a reminder of the critical importance of consistent security controls across all application endpoints and the necessity of proper input validation that goes beyond simple pattern matching to include comprehensive path restriction mechanisms. Security teams should also consider implementing file system monitoring to detect unauthorized file access or deletion activities that may indicate exploitation attempts.