Description

WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue.

INFO

Published Date :

2026-03-22T16:35:16.181Z

Last Modified :

2026-03-24T17:48:13.332Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33293 vulnerability.

Vendors Products
Wwbn
  • Avideo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33293.

URL Resource
https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284 cve-icon cve-icon
https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact