Main Vulnerability Database Vulnerabilities #VU125455

#VU125455 External Control of File Name or Path in AVideo - CVE-2026-33354

Published: April 8, 2026

Vulnerability identifier: #VU125455

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33354

CWE-ID: CWE-73

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
AVideo

Software vendor:
World Wide Broadcast Network

Description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to external control of file name or path in aVideoEncoder.json.php when processing a requester-controlled chunkFile parameter. A remote user can send a specially crafted POST request with an arbitrary local filesystem path to disclose sensitive information.

Exploitation requires an authenticated account with upload permission, ownership of an editable video record, and that the target file is readable by the web application user.

Remediation

Install security update from vendor's website.

External links

https://github.com/WWBN/AVideo/security/advisories/GHSA-4jw9-5hrc-m4j6

#VU125455 External Control of File Name or Path in AVideo - CVE-2026-33354

Description

Remediation

External links

Please verify you're human