Main Vulnerability Database Vulnerabilities #VU125455

External Control of File Name or Path in AVideo - CVE-2026-33354

Published: April 8, 2026

Vulnerability identifier: #VU125455

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33354

CWE-ID: CWE-73

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: World Wide Broadcast Network

Affected software:
AVideo

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to external control of file name or path in aVideoEncoder.json.php when processing a requester-controlled chunkFile parameter. A remote user can send a specially crafted POST request with an arbitrary local filesystem path to disclose sensitive information.

Exploitation requires an authenticated account with upload permission, ownership of an editable video record, and that the target file is readable by the web application user.

How to mitigate CVE-2026-33354

Install security update from vendor's website.

Sources

https://github.com/WWBN/AVideo/security/advisories/GHSA-4jw9-5hrc-m4j6

External Control of File Name or Path in AVideo - CVE-2026-33354

Detailed vulnerability description

How to mitigate CVE-2026-33354

Sources

Please verify you're human