CVE-2026-33293
Published: 22 March 2026
Summary
CVE-2026-33293 is a high-severity Path Traversal (CWE-22) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires input validation mechanisms for parameters like deleteDump to block path traversal sequences before passing to unlink(), preventing arbitrary file deletion.
Mandates timely flaw remediation by applying the patch in AVideo version 26.0 that sanitizes the deleteDump parameter.
Enforces access control policies to restrict authenticated clone users from deleting arbitrary files outside intended paths, mitigating traversal abuse.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing AVideo web app enables remote authenticated file deletion (unlink) of critical files like configuration.php, directly mapping to exploitation of public-facing applications and resulting data destruction/DoS impact.
NVD Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to…
more
delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue.
Deeper analysisAI
CVE-2026-33293 is a path traversal vulnerability (CWE-22) in WWBN AVideo, an open-source video platform. In versions prior to 26.0, the `deleteDump` parameter in the `plugin/CloneSite/cloneServer.json.php` file is passed directly to the PHP `unlink()` function without path sanitization. This allows attackers to supply traversal sequences, such as `../../`, to target arbitrary files on the server filesystem.
An attacker with valid clone credentials can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables deletion of critical files, such as `configuration.php`, resulting in high integrity and availability impacts (CVSS 8.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H). This can cause complete denial of service or facilitate further attacks by removing security-critical files.
The issue is fixed in AVideo version 26.0. The GitHub security advisory (GHSA-xmjm-86qv-g226) and the fixing commit (941decd6d19e2e694acb75e86317d10fbb560284) detail the patch, which administrators should apply promptly to mitigate the risk.
Details
- CWE(s)