Cyber Resilience

CVE-2026-33293

HighPublic PoC

Published: 22 March 2026

Published
22 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0050 39.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33293 is a high-severity Path Traversal (CWE-22) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33293 is a path traversal vulnerability (CWE-22) in WWBN AVideo, an open-source video platform. In versions prior to 26.0, the `deleteDump` parameter in the `plugin/CloneSite/cloneServer.json.php` file is passed directly to the PHP `unlink()` function without path sanitization. This allows attackers to supply traversal sequences, such as `../../`, to target arbitrary files on the server filesystem.

An attacker with valid clone credentials can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables deletion of critical files, such as `configuration.php`, resulting in high integrity and availability impacts (CVSS 8.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H). This can cause complete denial of service or facilitate further attacks by removing security-critical files.

The issue is fixed in AVideo version 26.0. The GitHub security advisory (GHSA-xmjm-86qv-g226) and the fixing commit (941decd6d19e2e694acb75e86317d10fbb560284) detail the patch, which administrators should apply promptly to mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to…

more

delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Path traversal in public-facing AVideo web app enables remote authenticated file deletion (unlink) of critical files like configuration.php, directly mapping to exploitation of public-facing applications and resulting data destruction/DoS impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-33681Same product: Wwbn Avideo
CVE-2026-41058Same product: Wwbn Avideo
CVE-2026-40909Same product: Wwbn Avideo
CVE-2026-33493Same product: Wwbn Avideo
CVE-2026-39369Same product: Wwbn Avideo
CVE-2026-33513Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33770Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires input validation mechanisms for parameters like deleteDump to block path traversal sequences before passing to unlink(), preventing arbitrary file deletion.

prevent

Mandates timely flaw remediation by applying the patch in AVideo version 26.0 that sanitizes the deleteDump parameter.

prevent

Enforces access control policies to restrict authenticated clone users from deleting arbitrary files outside intended paths, mitigating traversal abuse.

References