Skip to main content

AVideo CVE-2026-46337

| EUVDEUVD-2026-33305 MEDIUM
Path Traversal (CWE-22)
2026-05-19 https://github.com/WWBN/AVideo GHSA-w4qq-74h6-58wq
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 29, 2026 - 14:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
May 19, 2026 - 17:01 vuln.today
Analysis Generated
May 19, 2026 - 17:01 vuln.today

DescriptionGitHub Advisory

Summary

The endpoint requires no authentication. An unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open - including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content under sibling-app directories reachable via .. traversal.

Details

view/img/image404Raw.php reads the image GET parameter and joins it directly into a filesystem path served via readfile(). view/img/image404Raw.php (full file, current master @ 0dbadbcaaa1b415c7db078a72dc4b26d9fac0485):

php
<?php

// Fetch requested image URL
$imageURL = !empty($_GET['image']) ? $_GET['image'] : $_SERVER["REQUEST_URI"];
$rootDir = dirname(__FILE__) . '/../../';
if ($imageURL == 'favicon.ico') {
    $imgLocalFile = "{$rootDir}/videos/{$imageURL}";
} else {
    $imgLocalFile = "{$rootDir}/{$imageURL}";   // ← attacker-controlled
}

if (file_exists($imgLocalFile)) {
    $imageInfo = getimagesize($imgLocalFile);   // ← format gate
    if (empty($imageInfo)) {
        die('not image');
    }
    // …extension → Content-Type mapping…
    header("HTTP/1.0 200 OK");
    header('Content-Type: ' . $type);
    header('Content-Length: ' . filesize($imgLocalFile));
    readfile($imgLocalFile);   // ← exfil bytes
    exit;
}

Issues:

  1. No authentication. The file is reachable via direct GET; no require of globals.php, no session check, no API-key gate.
  2. No basename / realpath / prefix containment. $_GET['image'] is concatenated into $imgLocalFile with no .. filtering, no realpath() resolution, no allowlist check against the intended view/img/ directory.
  3. getimagesize() is a magic-bytes check, not a path constraint. Any file on disk whose first bytes match a recognized image format (FFD8FF JPEG, 89504E47 PNG, 474946 GIF, 52494646…57454250 WebP) passes the gate - including images stored outside any ACL'd area of the application.
  4. $_SERVER["REQUEST_URI"] fallback when image is empty widens the attack surface (path components in the URI itself land in $imgLocalFile).

Re-verified pre-submission on 2026-05-13 against view/img/image404Raw.php blob SHA c670b0faff4fbea1fd0508f179956975477d4340 - unsafe shape unchanged since first discovery on 2026-05-12.

Recommended fix - three layered checks, any one alone is insufficient:

php
// view/img/image404Raw.php - proposed fix
<?php

$imageURL = !empty($_GET['image']) ? $_GET['image'] : '';
if ($imageURL === '') {
    http_response_code(400);
    exit('bad request');
}

// 1. Reject any path-traversal segment outright.
if (strpos($imageURL, '..') !== false
    || strpos($imageURL, "\0") !== false
    || strpos($imageURL, '://') !== false) {
    http_response_code(400);
    exit('bad request');
}

// 2. Resolve to a real path and verify prefix containment under the
//    intended image directory.
$rootDir = realpath(dirname(__FILE__) . '/../../');
$imgLocalFile = realpath($rootDir . '/' . $imageURL);
if ($imgLocalFile === false
    || (strpos($imgLocalFile, $rootDir . '/videos/') !== 0
        && strpos($imgLocalFile, $rootDir . '/view/img/') !== 0)) {
    http_response_code(404);
    exit('not found');
}

// 3. Existing getimagesize() check stays as defense-in-depth.
if (!is_file($imgLocalFile)) {
    http_response_code(404);
    exit('not found');
}
$imageInfo = @getimagesize($imgLocalFile);
if (empty($imageInfo)) {
    http_response_code(404);
    exit('not image');
}

// …rest of the original Content-Type + readfile() flow unchanged…

Drop the $_SERVER["REQUEST_URI"] fallback entirely; if no image parameter is provided, return 400.

PoC

Discovery probe - any HTTP client, no authentication, no cookies:

http
GET /view/img/image404Raw.php?image=../videos/userPhoto/photo1.jpg HTTP/1.1
Host: avideo.example.com

If videos/userPhoto/photo1.jpg exists on the server, the response is the raw image bytes (HTTP 200, Content-Type: image/jpeg). The application's normal user-photo serving wrapper (which can gate by session / channel ownership) is bypassed entirely.

Cross-directory probe - read images outside the AVideo install root:

http
GET /view/img/image404Raw.php?image=../../../var/www/other-app/uploads/users/admin.jpg HTTP/1.1
Host: avideo.example.com

If the PHP user has read access to a sibling app's image directory, those files are exfiltrable too.

Enumeration - iterate over predictable numeric IDs:

GET /view/img/image404Raw.php?image=../videos/userPhoto/photo1.jpg
GET /view/img/image404Raw.php?image=../videos/userPhoto/photo2.jpg
GET /view/img/image404Raw.php?image=../videos/userPhoto/photo3.jpg
...

…to harvest all profile images regardless of the application's intended privacy controls.

Impact

Path traversal → arbitrary image read (CWE-22 + CWE-284). Affects any AVideo deployment running master through commit 0dbadbca and likely every release on the supported branches. The attacker:

  1. Bypasses the application's image-content ACLs. Profile photos under videos/userPhoto/ and admin-uploaded private thumbnails that AVideo's normal image-serving wrappers gate by session / channel ownership become readable to any anonymous internet user.
  2. Reads images stored outside the AVideo install root. On shared-hosting / multi-tenant deployments, .. traversal lets the attacker page into sibling-app upload directories - anywhere the PHP user has read access on disk and the target file's first bytes form a valid image header.
  3. Enables enumeration at scale. Numeric ID schemes (photo1.jpg, photo2.jpg, …) and predictable filenames let an attacker harvest every private image on a deployment without detection (each request looks like a single 200-image-OK to the web log).

Because the read primitive is restricted to image-magic-bytes files, there is no source-code or credential exfiltration via this primitive alone - but the privacy / GDPR exposure is substantial on any deployment that hosts user-uploaded photos. CVSS 5.3 (Medium) reflects the limited but real confidentiality impact; many operators will rate this higher because the leaked content is user-private by intent.

This is not a silent-fix disclosure - the bug is still present on current master at submission time; the maintainer is being notified of a previously-unknown issue.

AnalysisAI

Unauthenticated path traversal in AVideo's view/img/image404Raw.php allows any remote attacker to read arbitrary image files accessible to the PHP process, bypassing all application-layer ACLs that normally gate private user photos, admin thumbnails, and encrypted-video poster frames. The vulnerability affects all versions through the current master branch (commit 0dbadbcaaa1b415c7db078a72dc4b26d9fac0485) and all releases up to and including 29.0 (pkg:composer/wwbn_avideo). No vendor-released patch is currently available, and a working proof-of-concept is publicly disclosed in GHSA-w4qq-74h6-58wq, making this immediately actionable by any unauthenticated attacker with HTTP access to the deployment.

Technical ContextAI

The affected component is view/img/image404Raw.php in the WWBN AVideo PHP application (pkg:composer/wwbn_avideo <= 29.0). The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory): the $_GET['image'] parameter is concatenated directly into a filesystem path variable ($imgLocalFile = "{$rootDir}/{$imageURL}") and then passed to readfile() with no realpath() resolution, no .. filtering, no null-byte sanitization, and no allowlist prefix check. The sole gatekeeping mechanism is PHP's getimagesize(), which validates file magic bytes (JPEG: FFD8FF, PNG: 89504E47, GIF: 474946, WebP: 52494646...57454250) but imposes zero constraint on the filesystem path - any image-format file readable by the PHP process passes. A secondary attack surface exists via the $_SERVER['REQUEST_URI'] fallback when the image parameter is absent, widening scope further. The advisory also cites CWE-284 (Improper Access Control) because the normal session- and channel-ownership checks in AVideo's standard image-serving wrappers are entirely bypassed by accessing this endpoint directly.

RemediationAI

No vendor-released patch has been identified at time of analysis - fix version is listed as None in the advisory data, and the vulnerable code remains on current master. Until an official patch is released, operators should apply web-server-level access controls to block direct requests to view/img/image404Raw.php (e.g., Apache <Files image404Raw.php> Require all denied </Files> or nginx location ~ image404Raw\.php { deny all; }) - note this disables the 404 image fallback behavior that this endpoint was designed to serve, which may produce broken image placeholders in error pages. As an interim PHP-level measure, prepend a session-check require to the file, though this is inferior to the web-server block because it requires modifying tracked source files that may be overwritten on update. The GHSA advisory proposes a three-layer code fix: (1) reject any image parameter containing .., null bytes, or ://; (2) resolve the path with realpath() and enforce prefix containment to the videos/ or view/img/ directories only; (3) drop the $_SERVER['REQUEST_URI'] fallback entirely and return HTTP 400 when no image parameter is present. Monitor https://github.com/WWBN/AVideo/security/advisories/GHSA-w4qq-74h6-58wq and the AVideo repository for an official patched release.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-46337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy