Main Vulnerability Database Vulnerabilities #VU125445

Path traversal in AVideo - CVE-2026-33238

Published: April 8, 2026

Vulnerability identifier: #VU125445

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33238

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: World Wide Broadcast Network

Affected software:
AVideo

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in listFiles.json.php when handling a user-supplied path parameter. A remote user can send a specially crafted POST request to disclose sensitive information.

The issue is limited to enumeration of .mp4 filenames and their full absolute filesystem paths, and no user interaction is required.

How to mitigate CVE-2026-33238

Install security update from vendor's website.

Sources

https://github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4
https://github.com/advisories/GHSA-4wmm-6qxj-fpj4

Path traversal in AVideo - CVE-2026-33238

Detailed vulnerability description

How to mitigate CVE-2026-33238

Sources

Please verify you're human