Home / Vulnerability Intelligence / CVE-2026-33238

CVE-2026-33238 - Vulnerability Analysis

MediumCVSS: 4.3

Last Updated: March 23, 2026

WWBN AVideo - Path Traversal

Published: March 21, 2026Updated: March 23, 2026PoC AvailableRemote Exploitable

Overview

WWBN AVideo < 26.0 contains a path traversal caused by unrestricted 'path' parameter in listFiles.json.php endpoint passed to glob(), letting authenticated uploaders enumerate .mp4 files across the entire server filesystem.

Severity & Score

Severity: Medium

CVSS Score: 4.3

Impact

Authenticated uploaders can enumerate .mp4 files and their full paths outside the web root, potentially exposing private media files.

Mitigation

Update to version 26.0 or later.

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4
https://github.com/WWBN/AVideo/commit/870cf24a7632d4f1a5d5549b59103c18f39e3a21

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33238
Severity: Medium
CVSS Score: 4.3
Type: path_traversal
Status: confirmed

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N