CVE-2026-41058: AVideo Path Traversal Vulnerability

CVE-2026-41058 Overview

CVE-2026-41058 is a path traversal vulnerability affecting WWBN AVideo, an open source video platform. The vulnerability exists due to an incomplete fix for the CloneSite deleteDump parameter, which fails to apply proper path traversal filtering. This allows authenticated attackers to delete arbitrary files on the server via ../../ directory traversal sequences passed through the GET parameter, ultimately calling unlink() on attacker-controlled file paths.

Critical Impact

Authenticated attackers can delete arbitrary files on the server, potentially leading to denial of service, data loss, or compromise of system integrity by removing critical configuration or application files.

Affected Products

• WWBN AVideo version 29.0 and below
• AVideo installations with CloneSite functionality enabled
• Self-hosted AVideo video platform deployments

Discovery Timeline

• April 21, 2026 - CVE-2026-41058 published to NVD
• April 22, 2026 - Last updated in NVD database

Technical Details for CVE-2026-41058

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Path Traversal), a common weakness where user input is not properly sanitized before being used in file system operations. The root issue stems from an incomplete security patch that was intended to address path traversal in the CloneSite feature's deleteDump parameter.

The vulnerability allows network-based attacks with low complexity, requiring only low-level privileges to exploit. While no confidential data is directly exposed through this flaw, successful exploitation can result in high integrity and availability impact through the deletion of arbitrary files on the target system.

Root Cause

The incomplete fix for the AVideo CloneSite feature's deleteDump parameter fails to implement comprehensive path traversal filtering. When user-supplied input is passed to the unlink() PHP function without adequate sanitization, attackers can craft malicious requests containing directory traversal sequences (../../) to escape the intended directory scope and target files anywhere on the file system accessible to the web server process.

Attack Vector

The attack vector is network-based and targets the CloneSite functionality within AVideo. An authenticated attacker with low-level privileges can craft a malicious GET request containing path traversal sequences in the deleteDump parameter. When processed by the vulnerable code path, the unsanitized input is passed directly to the PHP unlink() function, which deletes the specified file.

For example, an attacker could construct a request to delete critical configuration files, database files, or application code by traversing out of the intended dump directory and specifying target files relative to the web root or system directories. The vulnerability mechanism involves crafting GET requests with payloads like deleteDump=../../path/to/target/file to reach files outside the intended directory scope. For detailed technical information, see the GitHub Security Advisory GHSA-5879.

Detection Methods for CVE-2026-41058

Indicators of Compromise

• HTTP GET requests to CloneSite endpoints containing ../ or ..%2F sequences in the deleteDump parameter
• Unexpected file deletion events in web server logs, particularly affecting files outside the AVideo dump directories
• Web server access logs showing repeated requests to CloneSite functionality with encoded path traversal patterns
• Missing critical application files, configuration files, or database files without authorized administrative action

Detection Strategies

• Configure Web Application Firewalls (WAF) to detect and block path traversal patterns including ../, ..%2F, ..%252F, and other encoded variants
• Implement file integrity monitoring (FIM) on critical system and application files to detect unauthorized deletions
• Review web server access logs for suspicious CloneSite requests with unusual parameter values
• Deploy intrusion detection rules to flag HTTP requests containing directory traversal sequences targeting AVideo endpoints

Monitoring Recommendations

• Enable verbose logging on AVideo application to capture all file system operations
• Monitor file deletion events on servers hosting AVideo, particularly outside designated upload and dump directories
• Set up alerts for HTTP 200 responses to CloneSite requests containing encoded special characters
• Implement real-time log analysis to correlate multiple path traversal attempts from the same source

How to Mitigate CVE-2026-41058

Immediate Actions Required

• Update AVideo to a version containing commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 or later
• Review web server logs for evidence of exploitation attempts targeting the deleteDump parameter
• Implement WAF rules to block path traversal patterns while awaiting patching
• Audit file system permissions to ensure the web server process has minimal write and delete access

Patch Information

The vulnerability has been addressed in GitHub Commit 3c72971, which contains an updated fix for the path traversal filtering issue. This commit supersedes the incomplete fix in GitHub Commit 941decD. Administrators should ensure their AVideo installation includes commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 or update to the latest available version. Additional details are available in the GitHub Security Advisory GHSA-xmjm.

Workarounds

• Disable or restrict access to the CloneSite functionality if not required for operations
• Implement web server level access controls to limit who can access CloneSite endpoints
• Deploy a reverse proxy or WAF with strict input validation rules blocking path traversal sequences
• Run AVideo under a restricted user account with minimal file system permissions

# Example Apache ModSecurity rule to block path traversal in deleteDump parameter
SecRule ARGS:deleteDump "@contains ../" \
    "id:100001,\
    phase:2,\
    deny,\
    status:403,\
    log,\
    msg:'Path traversal attempt blocked in AVideo deleteDump parameter'"