CVE-2026-33238
MEDIUMAVideo <26.0 listFiles.json.php - Filesystem Enumeration
Title source: manualDescription
WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4
X_Refsource_Misc x_refsource_misc
https://github.com/WWBN/AVideo/issues/10403
X_Refsource_Misc x_refsource_misc
https://github.com/WWBN/AVideo/commit/870cf24a7632d4f1a5d5549b59103c18f39e3a21
Scores
CVSS v3
4.3
EPSS
0.0042
EPSS Percentile
33.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (3)
wwbn/avideo
< 26.0
wwbn/avideo
0Packagist
WWBN/AVideo
< 26.0
Published
Mar 21, 2026
Tracked Since
Mar 21, 2026