CVE-2026-46337: WWBN AVideo Path-Traversal Vulnerability – Unauthenticated File Disclosure
WWBN AVideo, an open-source video platform, contains a path-traversal vulnerability in version 29.0 and earlier that allows anyone on the internet to download image files from the server without logging in. An attacker can bypass the application's permission controls to access private user profile photos, admin-uploaded thumbnails, encrypted-video poster frames, and files in neighboring directories. The vulnerability exists because the affected endpoint does not validate or restrict file paths before serving images.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content under sibling-app directories reachable via .. traversal. The endpoint requires no authentication.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46337 is a CWE-22 path-traversal vulnerability affecting WWBN AVideo through version 29.0. An unauthenticated remote attacker can exploit an unprotected endpoint to read arbitrary image files accessible to the PHP process, including those outside the intended document root. By crafting requests with directory-traversal sequences (../) or absolute paths, an attacker circumvents the application's access-control layer and the web server's intended file-serving restrictions. The vulnerability requires no authentication, no user interaction, and operates over the network (CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), resulting in a CVSS score of 5.3 (Medium severity).
Business impact
This vulnerability enables unauthorized disclosure of sensitive image assets. Organizations running AVideo may expose private user photos, administrative content, and potentially proprietary images stored on the same server. In multi-tenant or shared-hosting environments, attackers could access files belonging to other applications. The lack of authentication requirement means attackers need only network access; no valid credentials are required. While the integrity and availability of the system remain unaffected, confidentiality loss can damage user trust, violate privacy obligations, and expose business-sensitive visual content.
Affected systems
WWBN AVideo version 29.0 and all earlier versions are vulnerable. The affected endpoint is accessible to any remote attacker without authentication. The vulnerability applies regardless of web-server configuration, PHP version compatibility (within supported ranges), or whether file permissions are restrictive on the underlying filesystem—since the PHP process itself can access the files, the vulnerability persists.
Exploitability
This vulnerability has a low barrier to exploitation. An attacker requires only network access and knowledge of the vulnerable endpoint path; no authentication, special tools, or user interaction is needed. Common directory-traversal payloads (e.g., ../../../etc/passwd or absolute paths) can be tested against the endpoint. However, successful exploitation depends on the attacker's ability to guess or enumerate valid file paths or extensions on the target system. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, but the straightforward nature of path traversal means proof-of-concept demonstrations are likely to surface quickly once the advisory gains visibility.
Remediation
Upgrade to a patched version of WWBN AVideo that addresses the path-traversal vulnerability. Verify against the vendor's official advisory for the exact patched version number and any configuration changes required. As an interim mitigation, restrict network access to the vulnerable endpoint using a Web Application Firewall (WAF) or reverse proxy to block requests containing traversal sequences (../ or encoded variants). Additionally, review file-system permissions to ensure the PHP process runs with minimal necessary privileges, limiting exposure even if the vulnerability is exploited.
Patch guidance
Monitor the WWBN AVideo project repository and security advisories for a patched release. Once available, apply the update following the vendor's upgrade procedures—typically involving backup, code update, and cache clearing. Test the patch in a staging environment to confirm the endpoint no longer serves arbitrary files. Verify that legitimate image-serving functionality (user profiles, thumbnails) continues to work as expected after patching. For air-gapped or offline deployments, contact the vendor for patch availability timelines.
Detection guidance
Monitor web server logs and WAF logs for suspicious requests to image-serving endpoints containing path-traversal patterns (e.g., %2e%2e/, ../, or /etc/ sequences). Implement request logging that captures the full URI and query string. Use intrusion detection signatures that identify common directory-traversal attacks. Conduct file-integrity monitoring on sensitive directories (user profiles, admin uploads, encrypted-video metadata) to detect unauthorized read access. If you suspect exploitation, review access logs for requests that successfully retrieved files outside the intended document root or accessed files belonging to other users or applications.
Why prioritize this
Although the CVSS score is Medium (5.3), this vulnerability should be prioritized because it enables unauthenticated access to sensitive image content—a direct violation of confidentiality. The low complexity of exploitation, combined with the absence of authentication requirements, means an attacker can begin reconnaissance and exfiltration immediately. Organizations handling user-uploaded photos or private video metadata should treat this as a near-term remediation priority. The vulnerability does not warrant emergency patching in the absence of active exploitation reports, but it should not be deferred beyond the next scheduled maintenance window.
Risk score, explained
CVSS 5.3 (Medium) reflects a network-accessible vulnerability with no authentication required, but limited impact scope (confidentiality only, no integrity or availability loss). The vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates that while the barrier to exploitation is low, the consequences are constrained to information disclosure rather than system compromise. The score accurately represents the risk profile: moderate urgency due to unauthenticated access and low exploitation complexity, but not critical because data destruction or service disruption is not possible via this vector.
Frequently asked questions
Can an attacker modify or delete files using this vulnerability?
No. CVE-2026-46337 is a read-only disclosure vulnerability. An attacker can retrieve image files but cannot modify, delete, or execute code through this path-traversal vector. Integrity and availability of the system remain intact.
Does this vulnerability affect only self-hosted AVideo installations, or does it apply to SaaS deployments?
The vulnerability applies to any WWBN AVideo installation (version 29.0 or earlier) regardless of deployment model. Self-hosted, cloud-hosted, and containerized instances are all affected. If you run AVideo, you are at risk unless you have patched or implemented a workaround.
Is there a way to exploit this without guessing file paths?
An attacker with limited path knowledge could use information-disclosure techniques (error messages, timing, source-code review if the project is open-source, or reconnaissance of the server environment) to enumerate likely file locations. However, exploitation is more reliable if the attacker can narrow down target paths—for example, by observing user profile URLs in the web interface.
Should we immediately take AVideo offline if we cannot patch immediately?
Taking the service offline is an option, but not always necessary. A pragmatic interim step is to restrict access to the vulnerable endpoint using a WAF or reverse proxy, or to disable the image-serving endpoint entirely while you prepare a patch deployment. This allows other AVideo functionality to remain available while you mitigate the immediate risk.
This analysis is provided for informational purposes and is based on publicly available vulnerability data current as of the date of publication. Security assessments should be tailored to your specific environment and threat model. Patch version numbers and specific remediation steps should be verified against the official WWBN AVideo vendor advisory before implementation. SEC.co makes no warranty regarding the completeness or timeliness of this information. Always consult with your security team and follow your organization's change-management procedures before deploying patches or security controls. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45731MEDIUMWWBN AVideo Admin Path-Traversal File Read Vulnerability
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25734MEDIUMContact Form by WD CSRF & Local File Inclusion Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2024-47273MEDIUMSynology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller