Path Traversal Vulnerability in WWBN AVideo Open Source Video Platform
CVE-2026-41058

8.1HIGH

Key Information:

Vendor

Wwbn

Status
Avideo
Vendor
CVE Published:
21 April 2026

What is CVE-2026-41058?

The WWBN AVideo platform, an open-source video hosting solution, has a vulnerability in versions up to 29.0 where the 'deleteDump' parameter fails to filter path traversal effectively. This inadequacy permits unauthorized users to leverage ../../ sequences in the GET request to execute arbitrary file deletions through the unlink() function. It is critical for users of AVideo to apply the latest security patch to mitigate this risk.

Affected Version(s)

AVideo <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-5...
x_refsource_CONFIRM
https://github.com/WWBN/AVideo/security/advisories/GHSA-x...
x_refsource_MISC
https://github.com/WWBN/AVideo/commit/3c729717c26f160014a...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.