Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 26.0 |
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/81b591c509835505cb9f298aa1162ac64c4152cbPatch
- https://github.com/WWBN/AVideo/security/advisories/GHSA-3hwv-x8g3-9qprExploitVendor Advisory
FAQ
What is CVE-2026-33681?
CVE-2026-33681 is a vulnerability with a CVSS score of 7.2 (HIGH). WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin...
How severe is CVE-2026-33681?
CVE-2026-33681 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33681?
Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.