CVE-2026-33681 | THREATINT

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch.

PUBLISHED Reserved 2026-03-23 | Published 2026-03-23 | Updated 2026-03-24 | Assigner GitHub_M

HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

<= 26.0

affected

References

github.com/...AVideo/security/advisories/GHSA-3hwv-x8g3-9qpr

github.com/...ommit/81b591c509835505cb9f298aa1162ac64c4152cb

cve.org (CVE-2026-33681)

nvd.nist.gov (CVE-2026-33681)

Download JSON