GHSA-3MJV-375J-6H92
Vulnerability from github – Published: 2026-05-18 19:01 – Updated: 2026-05-18 19:01Summary
view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process — especially valuable on misconfigured deployments where /etc/passwd, .env, or other sibling-app configs are reachable relative to the AVideo directory.
Details
view/update.php, lines 134-145 (excerpt):
if (!empty($_POST['updateFile'])) { $dir = Video::getStoragePath() . "cache"; rrmdir($dir); / …unrelated cache-clear… /
if (file_exists($logfile . "log")) {
unlink($logfile . "log");
// ...
}
$lines = file("{$global['systemRootPath']}updatedb/{$_POST['updateFile']}");
The User::isAdmin() and adminSecurityCheck(true) guards at lines 12-15 enforce admin auth, but $_POST['updateFile'] is concatenated into a path without any sanitization. file() returns the file's contents as an array of lines; the script subsequently iterates them and echoes the SQL it would run.
PoC
POST /view/update.php Content-Type: application/x-www-form-urlencoded
updateFile=../../../../etc/passwd Result: the script attempts to load /etc/passwd (relative to {systemRootPath}updatedb/), echoing each line in the migration-runner HTML output. $_POST['updateFile'] traversal accepted, no extension guard, no in-array whitelist.
Attempting ../../../../proc/self/environ similarly reveals web-server environment variables on Linux.
Impact
Verified on the current master branch of WWBN/AVideo (commit bc0340662…). Likely affected: every release where view/update.php contains the $_POST['updateFile'] consumer — pattern predates 2024.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "WWBN/AVideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45731"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T19:01:59Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nview/update.php reads $_POST[\u0027updateFile\u0027] as a relative path under updatedb/ and passes it to PHP\u0027s file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process \u2014 especially valuable on misconfigured deployments where /etc/passwd, .env, or other sibling-app configs are reachable relative to the AVideo directory.\n\n### Details\nview/update.php, lines 134-145 (excerpt):\n\nif (!empty($_POST[\u0027updateFile\u0027])) {\n $dir = Video::getStoragePath() . \"cache\";\n rrmdir($dir);\n /* \u2026unrelated cache-clear\u2026 */\n\n if (file_exists($logfile . \"log\")) {\n unlink($logfile . \"log\");\n // ...\n }\n $lines = file(\"{$global[\u0027systemRootPath\u0027]}updatedb/{$_POST[\u0027updateFile\u0027]}\");\nThe User::isAdmin() and adminSecurityCheck(true) guards at lines 12-15 enforce admin auth, but $_POST[\u0027updateFile\u0027] is concatenated into a path without any sanitization. file() returns the file\u0027s contents as an array of lines; the script subsequently iterates them and echoes the SQL it would run.\n\n### PoC\nPOST /view/update.php\nContent-Type: application/x-www-form-urlencoded\n\nupdateFile=../../../../etc/passwd\nResult: the script attempts to load /etc/passwd (relative to {systemRootPath}updatedb/), echoing each line in the migration-runner HTML output. $_POST[\u0027updateFile\u0027] traversal accepted, no extension guard, no in-array whitelist.\n\nAttempting ../../../../proc/self/environ similarly reveals web-server environment variables on Linux.\n\n\n\n### Impact\nVerified on the current master branch of WWBN/AVideo (commit bc0340662\u2026). Likely affected: every release where view/update.php contains the $_POST[\u0027updateFile\u0027] consumer \u2014 pattern predates 2024.",
"id": "GHSA-3mjv-375j-6h92",
"modified": "2026-05-18T19:01:59Z",
"published": "2026-05-18T19:01:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3mjv-375j-6h92"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AVideo: Authenticated Arbitrary File Read in view/update.php"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.