Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch.

INFO

Published Date :

2026-03-23T18:39:33.513Z

Last Modified :

2026-03-24T16:13:23.412Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33681 vulnerability.

Vendors Products
Wwbn
  • Avideo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33681.

URL Resource
https://github.com/WWBN/AVideo/commit/81b591c509835505cb9f298aa1162ac64c4152cb cve-icon cve-icon
https://github.com/WWBN/AVideo/security/advisories/GHSA-3hwv-x8g3-9qpr cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact