CVE-2026-33681
Published: 23 March 2026
Summary
CVE-2026-33681 is a high-severity Path Traversal (CWE-22) vulnerability in Wwbn Avideo. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of the 'name' parameter to block path traversal sequences, directly preventing execution of arbitrary install.sql files as SQL queries.
SI-2 ensures timely remediation of the path traversal flaw via the patch in commit 81b591c, eliminating the vulnerability in affected AVideo versions.
AC-6 least privilege limits administrative access to the vulnerable pluginRunDatabaseScript endpoint, reducing direct exploitation and CSRF risks against admins.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web app endpoint enables T1190 exploitation (direct or via CSRF); requires/uses valid admin accounts (T1078); directly allows arbitrary SQL execution against DB for data access (T1213.006), destruction (T1485), and stored data manipulation (T1565.001).
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or…
more
an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch.
Deeper analysisAI
CVE-2026-33681 is a path traversal vulnerability (CWE-22) affecting WWBN AVideo, an open source video platform, in versions up to and including 26.0. The issue resides in the `objects/pluginRunDatabaseScript.json.php` endpoint, which accepts a `name` parameter via POST and passes it unsanitized to the `Plugin::getDatabaseFileName()` function. This flaw enables attackers to navigate outside the intended plugin directory and access arbitrary `install/install.sql` files on the filesystem, executing their contents as raw SQL queries directly against the application's database.
Exploitation requires high privileges, as indicated by the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). An authenticated administrator can directly trigger the endpoint to achieve SQL injection-like effects by supplying a crafted `name` parameter with traversal sequences (e.g., `../`). Alternatively, an unauthenticated attacker could exploit this via cross-site request forgery (CSRF) if targeting an admin user, potentially leading to unauthorized database modifications, data exfiltration, or destruction depending on the contents of accessible `install.sql` files.
The vulnerability is addressed in commit 81b591c509835505cb9f298aa1162ac64c4152cb, available on the WWBN/AVideo GitHub repository, which patches the path traversal issue. Additional details and mitigation guidance are provided in the GitHub Security Advisory GHSA-3hwv-x8g3-9qpr. Security practitioners should urge AVideo users to update to a patched version beyond 26.0 and review access controls for admin endpoints to prevent CSRF abuse.
Details
- CWE(s)