CVE-2026-33293: Wwbn Avideo Path Traversal Vulnerability

CVE-2026-33293 Overview

CVE-2026-33293 is a path traversal vulnerability affecting WWBN AVideo, an open source video platform. Prior to version 26.0, the deleteDump parameter in plugin/CloneSite/cloneServer.json.php is passed directly to the unlink() function without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., ../../) to delete arbitrary files on the server, including critical application files such as configuration.php, causing complete denial of service or enabling further attacks by removing security-critical files.

Critical Impact
Authenticated attackers can leverage path traversal to delete arbitrary files on the server, potentially causing complete denial of service or enabling further exploitation by removing security-critical configuration files.

Affected Products

WWBN AVideo versions prior to 26.0
Installations with CloneSite plugin enabled
Servers where clone credentials are accessible to attackers

Discovery Timeline

2026-03-22 - CVE-2026-33293 published to NVD
2026-03-24 - Last updated in NVD database

Technical Details for CVE-2026-33293

Vulnerability Analysis

This path traversal vulnerability (CWE-22) exists in the CloneSite plugin's cloneServer.json.php endpoint. The vulnerable code accepts user input via the deleteDump GET parameter and passes it directly to PHP's unlink() function without any validation or sanitization. This allows an authenticated attacker to craft malicious requests containing path traversal sequences to escape the intended directory and delete arbitrary files anywhere on the filesystem that the web server process has write permissions to.

The attack surface is particularly concerning because deletion of configuration files like configuration.php can immediately render the application inoperable. Additionally, removing security-critical files such as .htaccess rules or authentication modules could weaken the application's security posture and enable further attacks.

Root Cause

The root cause is improper input validation (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The vulnerable code directly concatenates user-supplied input with a base directory path and passes the result to unlink() without:

Validating that the requested file exists within the allowed directory
Stripping or rejecting path traversal sequences (../)
Using basename() to extract only the filename component
Verifying the resolved path with realpath() stays within boundaries

Attack Vector

The vulnerability is exploitable over the network by any attacker who possesses valid clone credentials for the AVideo instance. The attack requires:

Authentication with clone site credentials
Crafting a malicious request to the vulnerable endpoint with path traversal sequences
Targeting sensitive files such as configuration.php, log files, or security configurations

The original vulnerable code:

php

if (!empty($_GET['deleteDump'])) {
    $resp->error = !unlink("{$clonesDir}{$_GET['deleteDump']}");
    $resp->msg = "Delete Dump {$_GET['deleteDump']}";
    die(json_encode($resp));
}

Source: GitHub Commit

The fix implements proper path validation using basename() to strip directory components and realpath() verification to ensure the resolved path stays within the $clonesDir boundary:

php

if (!empty($_GET['deleteDump'])) {
    // Security: Strip path traversal components and validate path stays within clonesDir
    $deleteDump = basename($_GET['deleteDump']);
    $filePath = "{$clonesDir}{$deleteDump}";
    $realFilePath = realpath($filePath);
    $realClonesDir = realpath($clonesDir);
    if ($realFilePath === false || $realClonesDir === false || strpos($realFilePath, $realClonesDir) !== 0) {
        $resp->msg = "Invalid file path";
        die(json_encode($resp));
    }
    $resp->error = !unlink($realFilePath);
    $resp->msg = "Delete Dump {$deleteDump}";
    die(json_encode($resp));
}

Source: GitHub Commit

Detection Methods for CVE-2026-33293

Indicators of Compromise

HTTP requests to /plugin/CloneSite/cloneServer.json.php containing deleteDump parameter with path traversal sequences (../)
Missing critical application files such as configuration.php without administrative action
Unexplained file deletions in web server logs, particularly targeting configuration or security files
Authentication failures or application errors following suspicious requests to the CloneSite endpoint

Detection Strategies

Implement Web Application Firewall (WAF) rules to detect and block requests containing path traversal patterns (../, ..%2f, ..%5c) in the deleteDump parameter
Monitor web server access logs for requests to cloneServer.json.php with suspicious parameter values
Deploy file integrity monitoring (FIM) on critical application files to detect unauthorized deletions
Enable PHP error logging to capture unlink() failures that may indicate exploitation attempts

Monitoring Recommendations

Configure alerting for any requests to CloneSite plugin endpoints containing encoded or plaintext path traversal sequences
Monitor for sudden application availability issues that could indicate configuration file deletion
Review web server logs regularly for unusual patterns of file deletion requests
Implement audit logging for all administrative and clone-related operations

How to Mitigate CVE-2026-33293

Immediate Actions Required

Upgrade WWBN AVideo to version 26.0 or later immediately
If immediate upgrade is not possible, disable or restrict access to the CloneSite plugin
Review clone credentials and ensure they are not compromised or shared unnecessarily
Audit recent access logs for exploitation attempts against the cloneServer.json.php endpoint
Verify integrity of critical application files, especially configuration.php

Patch Information

WWBN has released version 26.0 which addresses this vulnerability. The fix is available in commit 941decd6d19e2e694acb75e86317d10fbb560284. The patch implements proper input validation using basename() to strip directory components and realpath() verification to ensure file paths remain within the designated clones directory. For detailed information, see the GitHub Security Advisory and the patch commit.

Workarounds

Disable the CloneSite plugin entirely if clone functionality is not required
Implement network-level access controls to restrict access to the plugin/CloneSite/ directory to trusted IP addresses only
Deploy a WAF rule to block requests containing path traversal sequences in the deleteDump parameter
Restrict filesystem permissions on the web server to minimize the impact of arbitrary file deletion

bash

# Example: Restrict access to CloneSite plugin via Apache .htaccess
<Directory "/var/www/avideo/plugin/CloneSite">
    Order deny,allow
    Deny from all
    Allow from 192.168.1.0/24
</Directory>

CVE-2026-33293 Overview

Critical Impact
Authenticated attackers can leverage path traversal to delete arbitrary files on the server, potentially causing complete denial of service or enabling further exploitation by removing security-critical configuration files.

Affected Products

WWBN AVideo versions prior to 26.0
Installations with CloneSite plugin enabled
Servers where clone credentials are accessible to attackers

Discovery Timeline

2026-03-22 - CVE-2026-33293 published to NVD
2026-03-24 - Last updated in NVD database

Technical Details for CVE-2026-33293

Vulnerability Analysis

Root Cause

Validating that the requested file exists within the allowed directory
Stripping or rejecting path traversal sequences (../)
Using basename() to extract only the filename component
Verifying the resolved path with realpath() stays within boundaries

Attack Vector

The vulnerability is exploitable over the network by any attacker who possesses valid clone credentials for the AVideo instance. The attack requires:

Authentication with clone site credentials
Crafting a malicious request to the vulnerable endpoint with path traversal sequences
Targeting sensitive files such as configuration.php, log files, or security configurations

The original vulnerable code:

php

if (!empty($_GET['deleteDump'])) {
    $resp->error = !unlink("{$clonesDir}{$_GET['deleteDump']}");
    $resp->msg = "Delete Dump {$_GET['deleteDump']}";
    die(json_encode($resp));
}

Source: GitHub Commit

The fix implements proper path validation using basename() to strip directory components and realpath() verification to ensure the resolved path stays within the $clonesDir boundary:

php

if (!empty($_GET['deleteDump'])) {
    // Security: Strip path traversal components and validate path stays within clonesDir
    $deleteDump = basename($_GET['deleteDump']);
    $filePath = "{$clonesDir}{$deleteDump}";
    $realFilePath = realpath($filePath);
    $realClonesDir = realpath($clonesDir);
    if ($realFilePath === false || $realClonesDir === false || strpos($realFilePath, $realClonesDir) !== 0) {
        $resp->msg = "Invalid file path";
        die(json_encode($resp));
    }
    $resp->error = !unlink($realFilePath);
    $resp->msg = "Delete Dump {$deleteDump}";
    die(json_encode($resp));
}

Source: GitHub Commit

Detection Methods for CVE-2026-33293

Indicators of Compromise

HTTP requests to /plugin/CloneSite/cloneServer.json.php containing deleteDump parameter with path traversal sequences (../)
Missing critical application files such as configuration.php without administrative action
Unexplained file deletions in web server logs, particularly targeting configuration or security files
Authentication failures or application errors following suspicious requests to the CloneSite endpoint

Detection Strategies

Implement Web Application Firewall (WAF) rules to detect and block requests containing path traversal patterns (../, ..%2f, ..%5c) in the deleteDump parameter
Monitor web server access logs for requests to cloneServer.json.php with suspicious parameter values
Deploy file integrity monitoring (FIM) on critical application files to detect unauthorized deletions
Enable PHP error logging to capture unlink() failures that may indicate exploitation attempts

Monitoring Recommendations

Configure alerting for any requests to CloneSite plugin endpoints containing encoded or plaintext path traversal sequences
Monitor for sudden application availability issues that could indicate configuration file deletion
Review web server logs regularly for unusual patterns of file deletion requests
Implement audit logging for all administrative and clone-related operations

How to Mitigate CVE-2026-33293

Immediate Actions Required

Upgrade WWBN AVideo to version 26.0 or later immediately
If immediate upgrade is not possible, disable or restrict access to the CloneSite plugin
Review clone credentials and ensure they are not compromised or shared unnecessarily
Audit recent access logs for exploitation attempts against the cloneServer.json.php endpoint
Verify integrity of critical application files, especially configuration.php

Patch Information

Workarounds

Disable the CloneSite plugin entirely if clone functionality is not required
Implement network-level access controls to restrict access to the plugin/CloneSite/ directory to trusted IP addresses only
Deploy a WAF rule to block requests containing path traversal sequences in the deleteDump parameter
Restrict filesystem permissions on the web server to minimize the impact of arbitrary file deletion

bash

# Example: Restrict access to CloneSite plugin via Apache .htaccess
<Directory "/var/www/avideo/plugin/CloneSite">
    Order deny,allow
    Deny from all
    Allow from 192.168.1.0/24
</Directory>

CVE-2026-33293: Wwbn Avideo Path Traversal Vulnerability

CVE-2026-33293 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33293

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33293

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33293

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-33293: Wwbn Avideo Path Traversal Vulnerability

CVE-2026-33293 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33293

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33293

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33293

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform