CVE-2026-33292
Published: 22 March 2026
Summary
CVE-2026-33292 is a high-severity Path Traversal (CWE-22) vulnerability in Wwbn Avideo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of information inputs like the videoDirectory parameter to block path traversal sequences such as '..', directly preventing exploitation of this split-oracle vulnerability.
AC-3 enforces consistent access authorizations across all code paths, mitigating the divergent authorization and file access handling that enables unauthorized streaming of private videos.
SI-2 mandates timely flaw remediation, including patching to version 26.0, which corrects the videoDirectory parameter handling to eliminate the path traversal vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public HLS endpoint (view/hls.php) allows remote unauthenticated directory traversal to bypass authorization and access restricted video files on an Internet-facing video platform.
NVD Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The…
more
`videoDirectory` GET parameter is used in two divergent code paths — one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) — creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue.
Deeper analysisAI
CVE-2026-33292 is a path traversal vulnerability (CWE-22) affecting WWBN AVideo, an open source video platform, in versions prior to 26.0. The issue resides in the HLS streaming endpoint at `view/hls.php`, where the `videoDirectory` GET parameter is processed differently in two code paths: one for authorization that truncates at the first `/` segment, and another for file access that preserves `..` traversal sequences. This discrepancy creates a split-oracle condition, enabling unauthorized access to video files. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
An unauthenticated attacker can exploit this vulnerability remotely with low complexity by manipulating the `videoDirectory` parameter to traverse directories and access any private or paid video on the platform. Successful exploitation allows the attacker to stream restricted video content without proper authorization, bypassing access controls while the system checks permissions against a different, authorized video path.
The WWBN AVideo security advisory (GHSA-pw4v-x838-w5pg) and the fixing commit (bc034066281085af00e64b0d7b81d8a025a928c4) confirm that upgrading to version 26.0 resolves the issue by addressing the divergent handling of the `videoDirectory` parameter. Security practitioners should prioritize patching affected instances to prevent unauthorized video streaming.
Details
- CWE(s)