The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33292

CVE-2026-33292: Wwbn Avideo Path Traversal Vulnerability

CVE-2026-33292 is a path traversal flaw in Wwbn Avideo that allows unauthenticated attackers to access private or paid videos. This article covers technical details, affected versions, security impact, and mitigation.

Published: March 27, 2026

CVE-2026-33292 Overview

WWBN AVideo is an open source video platform that contains a path traversal vulnerability in its HLS streaming endpoint. Prior to version 26.0, the view/hls.php endpoint is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two divergent code paths — one for authorization (which truncates at the first / segment) and one for file access (which preserves .. traversal sequences) — creating a split-oracle condition where authorization is checked against one video while content is served from another.

Critical Impact

Unauthenticated attackers can bypass authorization controls to access and stream private or paid video content, potentially leading to intellectual property theft and revenue loss for content creators.

Affected Products

  • WWBN AVideo versions prior to 26.0
  • All installations utilizing the HLS streaming functionality (view/hls.php)
  • Self-hosted and cloud-deployed AVideo instances without the security patch

Discovery Timeline

  • 2026-03-22 - CVE-2026-33292 published to NVD
  • 2026-03-23 - Last updated in NVD database

Technical Details for CVE-2026-33292

Vulnerability Analysis

This vulnerability represents a classic path traversal (CWE-22) attack vector with a particularly dangerous twist: a split-oracle condition. The vulnerability exists because the application processes the same user-supplied input (videoDirectory parameter) through two separate code paths that handle the data differently.

The authorization code path truncates the parameter at the first / segment to determine which video resource to validate access against. However, the file access code path preserves directory traversal sequences such as .. intact. This discrepancy creates a scenario where an attacker can craft a request that passes authorization checks for one video (potentially a public video they have access to) while actually retrieving content from a completely different, protected video resource.

The attack requires no authentication and can be executed remotely over the network, making it particularly dangerous for platforms hosting premium or sensitive video content.

Root Cause

The root cause of this vulnerability is inconsistent input handling between the authorization and file access components. The authorization logic performs premature truncation of the path parameter at the first / character, while the file serving logic processes the full path including relative directory sequences. This creates a Time-of-Check to Time-of-Use (TOCTOU) variant where the checked resource differs from the accessed resource.

Proper input validation should have normalized and validated the path before any processing, ensuring that both authorization and file access operate on the same canonical path representation.

Attack Vector

The attack exploits the HLS streaming endpoint through a specially crafted HTTP GET request. An attacker can manipulate the videoDirectory parameter to include path traversal sequences that navigate outside the intended video directory structure.

The attack flow works as follows: the attacker constructs a URL where the videoDirectory parameter contains a legitimate video identifier followed by traversal sequences (like ../) that point to a protected video. The authorization code only validates the portion before the first /, passing the access check. The file serving code then resolves the full path including the traversal, serving content from the protected video.

This split-oracle behavior allows complete bypass of video access controls without requiring any authentication credentials.

Detection Methods for CVE-2026-33292

Indicators of Compromise

  • Unusual access patterns to view/hls.php with videoDirectory parameters containing .. sequences
  • HTTP requests with URL-encoded path traversal patterns such as %2e%2e%2f or %2e%2e/
  • Access logs showing successful responses for HLS requests from unauthenticated sessions targeting premium content
  • Increased bandwidth consumption on video assets without corresponding valid user sessions

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block path traversal patterns in the videoDirectory parameter
  • Configure intrusion detection systems to alert on requests containing multiple consecutive ../ sequences
  • Monitor application logs for anomalous access patterns to the /view/hls.php endpoint
  • Deploy file integrity monitoring on video storage directories to detect unauthorized access patterns

Monitoring Recommendations

  • Enable detailed request logging for all HLS streaming endpoints with full parameter capture
  • Set up alerts for requests to view/hls.php containing encoded or decoded path traversal characters
  • Monitor for spikes in video streaming bandwidth that don't correlate with authenticated user sessions
  • Implement rate limiting on the HLS endpoint to slow down automated exploitation attempts

How to Mitigate CVE-2026-33292

Immediate Actions Required

  • Upgrade WWBN AVideo to version 26.0 or later immediately
  • Review access logs for evidence of exploitation attempts targeting the view/hls.php endpoint
  • Implement WAF rules to block requests containing path traversal sequences as a temporary measure
  • Audit access to premium and private video content for any unauthorized streaming activity

Patch Information

WWBN has released version 26.0 which contains a fix for this vulnerability. The patch ensures consistent path handling between the authorization and file access code paths, eliminating the split-oracle condition. The fix is available in commit bc034066281085af00e64b0d7b81d8a025a928c4. Administrators should update to version 26.0 or apply the patch as soon as possible.

For additional details, refer to the GitHub Security Advisory GHSA-pw4v-x838-w5pg and the GitHub commit containing the fix.

Workarounds

  • Restrict access to view/hls.php at the web server level using allow-lists for known authenticated IP ranges
  • Implement a reverse proxy rule that validates and normalizes all path parameters before forwarding to AVideo
  • Temporarily disable public access to HLS streaming functionality until the patch can be applied
  • Configure web server rules to reject any request to the HLS endpoint containing .. in any parameter
bash
# Example nginx configuration to block path traversal attempts
location /view/hls.php {
    if ($args ~* "\.\.") {
        return 403;
    }
    # Normal proxy/fastcgi configuration continues here
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePath Traversal
  • Vendor/TechWwbn Avideo
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.04%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-22
  • Vendor Resources
  • GitHub AVideo Commit Update
  • GitHub Security Advisory GHSA-pw4v-x838-w5pg
  • Related CVEs
  • CVE-2026-33681: WWBN AVideo Path Traversal Vulnerability
  • CVE-2026-33513: WWBN AVideo Path Traversal Vulnerability
  • CVE-2026-33293: Wwbn Avideo Path Traversal Vulnerability
  • CVE-2026-33354: Wwbn Avideo Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English