7.6

CVE-2026-39369

WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs

WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WwbnAvideo Version <= 26.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.41% 0.327
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.6 2.8 4.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33
Third Party Advisory
https://github.com/WWBN/AVideo/commit/2375eb5e0a6d3cbcfb05377657d0820a7d470b1d
Patch