MEDIUM 4.9

CVE-2026-45731: WWBN AVideo Admin Path-Traversal File Read Vulnerability

WWBN AVideo, an open-source video hosting platform, contains a file-read vulnerability in its database migration feature. An authenticated administrator can manipulate the migration process to read sensitive text files from the server's filesystem. This requires existing admin access, so it poses a targeted insider risk rather than a mass-exploitation threat, but it can expose configuration files, credentials, or other data to a compromised or malicious admin account.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.9 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-22
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45731 is a path-traversal vulnerability affecting WWBN AVideo version 29.0 and earlier. The vulnerable code path exists in view/update.php, which accepts user-supplied input via the $_POST['updateFile'] parameter during database migration operations. This input is treated as a relative path within the updatedb/ directory and passed to PHP's file() function, which reads and processes the file line-by-line. Because the parameter accepts relative paths without proper sanitization, an authenticated administrator can traverse the filesystem using path sequences (e.g., ../) to read arbitrary text files accessible to the web server process. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

Business impact

A compromised or malicious administrator account can exfiltrate sensitive data including database configuration files, application secrets, environment variables, or other plaintext credentials stored on the server. Organizations running AVideo as a content distribution or internal video platform should recognize this as a insider-threat and data-exposure vector. The impact is limited to confidentiality (file contents) with no direct integrity or availability impact, but stolen credentials could enable further lateral movement or privilege escalation within the infrastructure.

Affected systems

WWBN AVideo versions 29.0 and earlier are affected. This includes all self-hosted deployments of the open-source AVideo platform. The vulnerability requires network access to the platform and valid administrator credentials, so it does not affect public instances where admin access is strictly controlled. Organizations using managed or SaaS versions of AVideo should verify with their provider whether they are running patched code.

Exploitability

Exploitation requires an authenticated administrator account, which significantly limits attack surface. An attacker must either compromise an existing admin user or be an insider with such privileges. Once authenticated, the attack requires only a simple HTTP POST request to the update.php endpoint with a crafted relative path. No special tools or complex bypass techniques are needed. The lack of CVSS Environmental factors or Temporal modifiers suggests this threat is most relevant to organizations where admin accounts are not carefully segregated or monitored, or where legacy instances have not yet been updated.

Remediation

Upgrade WWBN AVideo to a version newer than 29.0 that addresses this vulnerability. The patch should implement strict path validation to reject relative path sequences (../) and whitelist only approved migration filenames or directories. Verify the fix against the vendor's release notes and security advisories. Organizations unable to patch immediately should implement network or application-level monitoring to detect unusual updatedb/ access patterns and restrict admin console access to trusted IP ranges.

Patch guidance

Check the official WWBN AVideo GitHub repository or vendor security advisories for version 30.0 or later, which should contain the remediation. Apply patches during a maintenance window after testing in a non-production environment. Document the version upgrade and verify database migrations complete successfully. If running on a container platform, rebuild images with the patched code and redeploy. For self-hosted instances, follow the vendor's documented upgrade procedure to avoid data loss.

Detection guidance

Monitor HTTP POST requests to view/update.php that include unusual or excessively long values in the updateFile parameter, particularly those containing ../ sequences. Log all database migration activities and flag requests initiated by admin users outside normal change-control windows. Review web server access logs for repeated or failed attempts to access updatedb/ with path-traversal indicators. Implement file-integrity monitoring on sensitive configuration files to detect unauthorized reads. Consider deploying a Web Application Firewall (WAF) rule to block updateFile parameters containing path-traversal patterns.

Why prioritize this

Although this vulnerability carries a CVSS score of 4.9 (Medium), it should not be deprioritized relative to higher-scoring flaws if your organization depends on AVideo and has a large or distributed admin user base. The insider-threat angle and credential-exposure potential make it relevant for compliance (PCI-DSS, HIPAA, SOC 2 if handling restricted data) and insider-risk programs. However, organizations with a small, trusted, and well-monitored admin team may deprioritize relative to critical externally-exploitable flaws. The lack of active in-the-wild exploitation (not on KEV) provides some breathing room for staged deployment.

Risk score, explained

The CVSS 3.1 score of 4.9 reflects a Medium severity: the attack requires high privileges (PR:H) and network access (AV:N) with low complexity (AC:L), and impacts only confidentiality (C:H, I:N, A:N). The score appropriately de-weights the threat because exploitation requires an authenticated administrator. However, real-world risk may be higher in environments with weak admin credential controls, legacy systems, or regulated data. Conversely, risk may be lower in environments with robust identity governance, privileged-access management (PAM), and audit logging.

Frequently asked questions

Does this vulnerability allow unauthenticated file reads?

No. The vulnerability requires valid administrator credentials. An attacker cannot exploit it without first compromising or being granted an admin account. This significantly reduces the attack surface compared to unauthenticated path-traversal flaws.

What files can an attacker read?

Any text file accessible to the web server process user, typically files within the web root, application directories, and files readable by that OS user. Common targets include .env files, database configuration files, application source code, and system configuration. Binary files will be corrupted if read line-by-line.

Is there an active exploit in the wild?

No. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no evidence of active exploitation as of the publication date. However, organizations should not rely on this and should patch proactively, especially if admin access is not tightly controlled.

What is the recommended remediation timeline?

Upgrade to a patched version as soon as practical after testing in a staging environment. Given the Medium CVSS score and the requirement for admin access, a 30–60 day remediation window is reasonable for most organizations, but those with sensitive data or strict compliance requirements should prioritize sooner.

This analysis is provided for informational purposes only and does not constitute legal, compliance, or professional security advice. The information is accurate as of the publication date but may become outdated as vendors release patches and new information emerges. Organizations should verify all technical details against official vendor advisories, test patches in non-production environments before deployment, and consult their security and compliance teams when determining remediation timelines and risk tolerance. SEC.co does not guarantee the completeness or accuracy of vulnerability intelligence and recommends independent verification of all critical findings. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).