EUVD-2026-19883
GHSA-f4f9-627c-jh33
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
3Tags
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.
Analysis
Path traversal in WWBN AVideo platform ≤26.0 allows authenticated uploaders to read arbitrary server files via GIF poster manipulation. An attacker with uploader privileges can exploit aVideoEncoderReceiveImage.json.php to bypass path sanitization, fetch local files like /etc/passwd or application source code, and republish the contents through publicly accessible GIF media URLs. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WWBN AVideo instances running version 26.0 or earlier and document active uploader accounts. Within 7 days: Disable or revoke upload privileges for non-essential user accounts; implement file access logging on the aVideoEncoderReceiveImage.json.php endpoint; review recent GIF poster uploads for anomalies. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today