CVE-2026-46337 | THREATINT

Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content under sibling-app directories reachable via .. traversal. The endpoint requires no authentication.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-29 | Updated 2026-05-29 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

<= 29.0

affected

References

github.com/...AVideo/security/advisories/GHSA-w4qq-74h6-58wq exploit

github.com/...AVideo/security/advisories/GHSA-w4qq-74h6-58wq

cve.org (CVE-2026-46337)

nvd.nist.gov (CVE-2026-46337)

Download JSON