CVE-2026-33292

WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths — one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) — creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4	Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-22 17:17

Updated : 2026-03-23 16:18

NVD link : CVE-2026-33292

Mitre link : CVE-2026-33292

CVE.ORG link : CVE-2026-33292

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-33292", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-22T17:17:08.753", "references": [{"url": "https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths \u2014 one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) \u2014 creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 26.0, el endpoint de streaming HLS ('view/hls.php') es vulnerable a un ataque de salto de ruta que permite a un atacante no autenticado transmitir cualquier video privado o de pago en la plataforma. El par\u00e1metro GET 'videoDirectory' se utiliza en dos rutas de c\u00f3digo divergentes \u2014 una para la autorizaci\u00f3n (que trunca en el primer segmento '/') y otra para el acceso a archivos (que conserva las secuencias de salto '..') \u2014 creando una condici\u00f3n de 'or\u00e1culo dividido' donde la autorizaci\u00f3n se verifica contra un video mientras que el contenido se sirve desde otro. La versi\u00f3n 26.0 contiene una soluci\u00f3n para el problema."}], "lastModified": "2026-03-23T16:18:24.447", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}