WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths — one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) — creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue.
References
| Link | Resource |
|---|---|
| https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4 | Patch |
| https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg | Exploit Mitigation Vendor Advisory |
Configurations
History
23 Mar 2026, 16:18
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* | |
| First Time |
Wwbn
Wwbn avideo |
|
| References | () https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4 - Patch | |
| References | () https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg - Exploit, Mitigation, Vendor Advisory |
22 Mar 2026, 17:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-22 17:17
Updated : 2026-03-23 16:18
NVD link : CVE-2026-33292
Mitre link : CVE-2026-33292
CVE.ORG link : CVE-2026-33292
JSON object : View
Products Affected
wwbn
- avideo
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')