CVE-2026-33681 Overview
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginRunDatabaseScript.json.php endpoint accepts a name parameter via POST and passes it to Plugin::getDatabaseFileName() without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any install/install.sql file on the filesystem as raw SQL queries against the application database. Commit 81b591c509835505cb9f298aa1162ac64c4152cb contains a patch.
Critical Impact
Authenticated administrators or attackers exploiting CSRF can execute arbitrary SQL queries by traversing to any install.sql file on the filesystem, potentially leading to complete database compromise, data exfiltration, or persistent backdoor installation.
Affected Products
- WWBN AVideo versions up to and including 26.0
- Self-hosted AVideo installations with admin panel access
- AVideo deployments accessible via network
Discovery Timeline
- 2026-03-23 - CVE CVE-2026-33681 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33681
Vulnerability Analysis
This vulnerability is a classic Path Traversal (CWE-22) flaw that enables authenticated administrators—or unauthenticated attackers leveraging Cross-Site Request Forgery—to break out of intended directory constraints and execute arbitrary SQL files against the application database.
The vulnerable endpoint objects/pluginRunDatabaseScript.json.php is designed to execute database migration scripts for plugins. However, the implementation fails to sanitize the name parameter before passing it to Plugin::getDatabaseFileName(). Without proper validation, directory traversal sequences such as ../ can be injected to navigate outside the designated plugin directory structure.
The impact is significant because once an attacker can point the function to any install/install.sql file on the filesystem, the contents of that file are executed as raw SQL queries. This could allow attackers to modify database records, create new administrative accounts, extract sensitive data, or drop tables entirely.
Root Cause
The root cause is improper input validation in the objects/pluginRunDatabaseScript.json.php endpoint. The name parameter is passed directly to Plugin::getDatabaseFileName() without filtering path traversal sequences (e.g., ../, ..\\). This violates the principle of secure path handling, where user-supplied input should never be trusted to construct file paths without strict canonicalization and boundary checks.
Attack Vector
The attack vector is network-based, requiring either administrative authentication or the ability to trick an authenticated admin into triggering a malicious request (CSRF). An attacker crafts a POST request to the vulnerable endpoint with a name parameter containing path traversal sequences. The request causes the server to locate and execute an install/install.sql file from an unintended location on the filesystem.
For example, an attacker could craft a request targeting a known SQL file path by injecting traversal sequences into the name parameter. The vulnerable function constructs the file path without sanitization, allowing the attacker to escape the plugin directory and access arbitrary SQL files. When successful, the contents of the targeted SQL file are executed against the application database with full privileges.
Detection Methods for CVE-2026-33681
Indicators of Compromise
- Unusual POST requests to objects/pluginRunDatabaseScript.json.php containing ../ or URL-encoded traversal sequences (%2e%2e%2f)
- Database audit logs showing unexpected SQL execution, particularly table creation, user account modifications, or data extraction queries
- Web server access logs with repeated requests to the vulnerable endpoint from suspicious IP addresses or with unusual referrer headers (potential CSRF)
- New administrative user accounts appearing in the AVideo database without legitimate creation
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in POST parameters targeting the AVideo plugin endpoints
- Enable comprehensive database query logging and establish baseline behavior to identify anomalous SQL execution patterns
- Monitor HTTP access logs for requests to pluginRunDatabaseScript.json.php with suspicious parameter values
- Deploy file integrity monitoring on SQL installation scripts to detect unauthorized access or modifications
Monitoring Recommendations
- Configure SIEM alerts for path traversal attack patterns targeting AVideo endpoints
- Establish database activity monitoring with alerts for DDL operations, privilege escalations, or bulk data access outside normal application behavior
- Implement network traffic analysis to detect potential CSRF attack patterns targeting administrative sessions
- Regularly audit AVideo administrative account activity and access patterns
How to Mitigate CVE-2026-33681
Immediate Actions Required
- Upgrade WWBN AVideo to a version containing commit 81b591c509835505cb9f298aa1162ac64c4152cb or later
- Review database audit logs for any indicators of exploitation and investigate suspicious SQL execution
- Restrict network access to the AVideo administrative interface using IP allowlisting or VPN requirements
- Implement CSRF protection tokens for all administrative actions if not already present
Patch Information
The vulnerability has been addressed in commit 81b591c509835505cb9f298aa1162ac64c4152cb. Administrators should update their AVideo installations to incorporate this fix. For detailed patch information, refer to the GitHub Commit Update and the GitHub Security Advisory.
Workarounds
- Implement WAF rules to block requests containing path traversal sequences to the objects/pluginRunDatabaseScript.json.php endpoint
- Restrict access to the AVideo administrative panel to trusted IP addresses only using firewall rules or web server configuration
- Disable the vulnerable endpoint temporarily by modifying web server configuration if not required for normal operations
- Implement additional input validation at the web server or reverse proxy level to sanitize POST parameters before they reach the application
# Example: Nginx configuration to block path traversal attempts
location ~ /objects/pluginRunDatabaseScript\.json\.php {
# Block requests with path traversal sequences
if ($request_body ~* "(\.\./|\.\.\\\\|%2e%2e%2f|%2e%2e%5c)") {
return 403;
}
# Restrict to trusted admin IPs only
allow 10.0.0.0/8;
allow 192.168.1.0/24;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
