File Upload Vulnerability in WWBN AVideo Versions Prior to 26.0
CVE-2026-33493

7.1HIGH

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 23 March 2026

What is CVE-2026-33493?

AVideo, an open source video platform developed by WWBN, has a vulnerability in its objects/import.json.php endpoint that allows authenticated users with upload permissions to exploit a lack of proper directory restrictions. This vulnerability permits an authenticated user to manipulate the fileURI POST parameter, which is limited to checking only for .mp4 file extensions. As a result, users can potentially steal private video files owned by other users, read adjacent .txt, .html, and .htm files from the filesystem, and even delete .mp4 files and any writable adjacent text files. A patch has been provided in commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 to address these security concerns.

Affected Version(s)

AVideo <= 26.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-8...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/e110ff542acdd7e3b81...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2026
Vulnerability Reserved
Mar 20, 2026

CVE-2026-33493 Data

JSON

Wwbn

What is CVE-2026-33493?

Affected Version(s)

References

CVSS V3.1

Timeline