CVE-2026-33238

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33238

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33238.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33238

Aliases

GHSA-4wmm-6qxj-fpj4

Published

2026-03-20T23:31:35.134Z

Modified

2026-04-10T05:42:40.077093Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

AVideo has a Path Traversal in listFiles.json.php that Enables Server Filesystem Enumeration

Details

WWBN AVideo is an open source video platform. Prior to version 26.0, the listFiles.json.php endpoint accepts a path POST parameter and passes it directly to glob() without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating .mp4 filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33238.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/wwbn/avideo

Affected ranges

Type: GIT
Repo: https://github.com/wwbn/avideo
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

aee1e11ee8d9343f87b7643e49cc32924b07979b

Affected versions

10.*

10.8

Other

11.*

11.1

11.1.1

11.5

11.6

12.*

12.4

14.*

14.3

14.3.1

18.*

18.0

2.*

2.2

2.7

21.*

21.0

22.*

22.0

24.*

24.0

25.*

25.0

3.*

3.4

4.*

4.0

7.*

7.2

7.3

7.4

7.6

7.7

7.8

8.*

8.1

8.5

8.6

8.7

8.9

8.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33238.json"