CVE-2026-33493
Published: 23 March 2026
Summary
CVE-2026-33493 is a high-severity Path Traversal (CWE-22) vulnerability in Wwbn Avideo. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates path traversal by requiring validation of the user-controlled `fileURI` POST parameter with directory restrictions and proper path checks.
Addresses the specific vulnerability by identifying, reporting, and applying the patch that implements `realpath()` and directory prefix validation in `import.json.php`.
Enforces logical access controls on filesystem resources to restrict unauthorized reading, importing, or deletion of private videos and adjacent files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web app endpoint directly enables T1190 exploitation; resulting unauthorized read access to videos/other files on disk maps to T1005; ability to delete writable .mp4/adjacent files maps to T1070.004.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was hardened…
more
with a `realpath()` + directory prefix check to restrict paths to the `videos/` directory, `import.json.php` performs no directory restriction. This allows an authenticated user with upload permission to: (1) steal any other user's private video files by importing them into their own account, (2) read `.txt`/`.html`/`.htm` files adjacent to any `.mp4` file on the filesystem, and (3) delete `.mp4` and adjacent text files if writable by the web server process. Commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 contains a patch.
Deeper analysisAI
CVE-2026-33493 is a path traversal vulnerability (CWE-22) in WWBN AVideo, an open source video platform, affecting versions up to and including 26.0. The issue resides in the `objects/import.json.php` endpoint, which accepts a user-controlled `fileURI` POST parameter validated only by a regex check ensuring it ends in `.mp4`. Unlike the hardened `objects/listFiles.json.php` endpoint, which uses `realpath()` and a directory prefix check to confine paths to the `videos/` directory, `import.json.php` imposes no such restrictions, enabling filesystem path manipulation. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).
An authenticated attacker with upload permissions can exploit this over the network with low complexity. They can steal private video files belonging to other users by importing them into their own account, read arbitrary `.txt`, `.html`, or `.htm` files located adjacent to any `.mp4` file on the filesystem, and delete `.mp4` files along with adjacent text files if they are writable by the web server process.
The GitHub security advisory (GHSA-83xq-8jxj-4rxm) and commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 detail the patch, which applies proper path validation and directory restrictions to the `import.json.php` endpoint, similar to those in `listFiles.json.php`. Security practitioners should update to a patched version beyond 26.0 and review configurations for upload permissions.
Details
- CWE(s)