CVE-2026-33681 in WWBN AVideo信息

摘要 (英语)

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch.

负责

GitHub_M

预定

2026-03-23

披露

2026-03-23

条目

VulDB provides additional information and datapoints for this CVE:

标识符	漏洞	CWE	可利用	对策	CVE
352573	WWBN AVideo Parameter pluginRunDatabaseScript.json.php getDatabaseFileName 目录遍历	22	未定义	官方修复	CVE-2026-33681

描述

CPE

CWE

CVSS

漏洞利用

历史

差异

连接

威胁情报

API JSON

API XML

API CSV

◂ 上一步一览下一步 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!