CVE-2026-33238

MEDIUM

AVideo has a Path Traversal in listFiles.json.php that Enables Server Filesystem Enumeration

Title source: cna

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.

References (3)

[X_Refsource_Confirm] https://github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4

[X_Refsource_Misc] https://github.com/WWBN/AVideo/commit/870cf24a7632d4f1a5d5549b59103c18f39e3a21

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/WWBN/AVideo/issues/10403

Scores

CVSS v3 4.3

EPSS 0.0002

EPSS Percentile 3.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (3)

wwbn/avideo < 26.0

wwbn/avideo 0Packagist

WWBN/AVideo < 26.0

Published Mar 21, 2026

Tracked Since Mar 21, 2026