CVE-2026-39369
Published: 07 April 2026
Summary
CVE-2026-39369 is a high-severity Path Traversal (CWE-22) vulnerability in Wwbn Avideo. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates attacker-controlled same-origin /videos/... URLs supplied to objects/aVideoEncoderReceiveImage.json.php to block path traversal sequences that bypass scrubbing and expose local files.
Remediates the specific path traversal flaw in the GIF poster storage path by applying the vendor patch from commit 2375eb5e0a6d3cbcfb05377657d0820a7d470b1d.
Enforces least privilege for authenticated uploaders, limiting the scope of file access and reducing the impact of exploited traversal in the encoder endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in the web component directly enables arbitrary local file reads (e.g., /etc/passwd, source code) by an authenticated user, mapping to T1005 Data from Local System.
NVD Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF…
more
branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.
Deeper analysisAI
CVE-2026-39369 is a path traversal vulnerability (CWE-22) in WWBN AVideo, an open source video platform, affecting versions 26.0 and prior. The issue resides in the objects/aVideoEncoderReceiveImage.json.php component, which permits an authenticated uploader to supply attacker-controlled same-origin /videos/... URLs. This bypasses traversal scrubbing and exposes server-local files through the GIF poster storage path, with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).
An authenticated uploader with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to read arbitrary local files, such as /etc/passwd or application source code, by abusing the vulnerable GIF branch. The stolen file contents are then republished through a normal public GIF media URL, enabling high confidentiality impact alongside low integrity and availability impacts.
Mitigation details are provided in the official GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33 and the patching commit at https://github.com/WWBN/AVideo/commit/2375eb5e0a6d3cbcfb05377657d0820a7d470b1d. Security practitioners should upgrade to a patched version beyond 26.0 and review access controls for uploaders.
Details
- CWE(s)