CVE-2026-33681 in WWBN AVideo
Zusammenfassung (Englisch)
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch.
Zuständig
GitHub_M
Reservieren
23.03.2026
Veröffentlichung
23.03.2026
Einträge
| ID | Schwachstelle | CWE | Base | Temp | 0day | Heute | Aus | KEV | EPSS | CTI | Mas | CVE |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 352573 | WWBN AVideo Parameter pluginRunDatabaseScript.json.php getDatabaseFileName Directory Traversal | 22 | 5.9 | 5.8 | $0-$5k | $0-$5k | Nicht definiert | 0.00054 | 0.00 | Offizieller Fix | CVE-2026-33681 |