CVE-2026-33293
🟠 Łataj w tym tygodniu
Brak sanitizacji parametru `deleteDump` w WWBN AVideo pozwala na atak typu path traversal, co umożliwia usunięcie krytycznych plików serwera.
CVSS
8.1
EPSS
0.0%
Exploit
poc
Vendor
wwbn
Opis źródłowy (NVD)
WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical application files such as `configuration.php`, causing complete denial of service or enabling further attacks by removing security-critical files. Version 26.0 fixes the issue.
dos exploit path-traversal
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.1 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-03-22 17:17:08 UTC |
| Ostatnia modyfikacja (NVD) | 2026-03-24 21:14:05 UTC |
Referencje
- https://github.com/WWBN/AVideo/commit/941decd6d19e2e694acb75e86317d10fbb560284 (security-advisories@github.com) [Patch]
- https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226 (security-advisories@github.com) [Exploit, Vendor Advisory]