CVE-2026-41062 Overview
CVE-2026-41062 is a Directory Traversal vulnerability affecting WWBN AVideo, an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for objects/aVideoEncoderReceiveImage.json.php only checks the URL path component (via parse_url($url, PHP_URL_PATH)) for .. sequences. However, the downstream function try_get_contents_from_local() in objects/functionsFile.php uses explode('/videos/', $url) on the full URL string including the query string. An attacker can place the /videos/../../ traversal payload in the query string to bypass the security check and read arbitrary files from the server filesystem.
Critical Impact
Remote attackers with low privileges can bypass path traversal protections and read sensitive files from the server filesystem, potentially exposing configuration files, credentials, and other confidential data.
Affected Products
- WWBN AVideo versions 29.0 and below
- AVideo installations using aVideoEncoderReceiveImage.json.php endpoint
- Systems with the vulnerable try_get_contents_from_local() function in objects/functionsFile.php
Discovery Timeline
- April 21, 2026 - CVE CVE-2026-41062 published to NVD
- April 22, 2026 - Last updated in NVD database
Technical Details for CVE-2026-41062
Vulnerability Analysis
This vulnerability represents a classic security bypass scenario where incomplete input validation fails to account for all attack surfaces. The initial security fix in commit 2375eb5e0 attempted to prevent directory traversal by checking only the URL path component using PHP's parse_url() function with the PHP_URL_PATH flag. This approach is fundamentally flawed because the downstream file access logic in try_get_contents_from_local() processes the entire URL string, including query parameters.
The try_get_contents_from_local() function uses explode('/videos/', $url) to extract the file path, operating on the complete URL rather than just the path component. This discrepancy creates an exploitable gap where an attacker can inject traversal sequences like ../../etc/passwd within the query string portion of the URL, completely bypassing the path-only validation.
Root Cause
The root cause of this vulnerability is a mismatch between the input validation scope and the actual data processing scope. The security check validates only parse_url($url, PHP_URL_PATH) while the downstream explode('/videos/', $url) operates on the full URL including query string parameters. This architectural inconsistency allows traversal payloads placed in query parameters to escape validation entirely, as the validation function never examines that portion of the input.
Attack Vector
The attack vector is network-based and requires low-privilege authenticated access. An attacker can craft a malicious URL containing a query string parameter with the pattern ?a=/videos/../../etc/passwd. Since the security check only examines the URL path component, the traversal sequence in the query string passes validation. When try_get_contents_from_local() processes this URL, it extracts ../../etc/passwd as the target path, allowing arbitrary file reads from the server filesystem.
// Initial incomplete fix in objects/aVideoEncoderReceiveImage.json.php
// Source: https://github.com/WWBN/AVideo/commit/2375eb5e0a6d3cbcfb05377657d0820a7d470b1d
)
foreach ($securityChecks as $key => $value) {
- if(!empty($_REQUEST[$value])){
- $_REQUEST[$value] = str_replace('../', '', $_REQUEST[$value]);
+ if (!empty($_REQUEST[$value])) {
+ // Block directory traversal in URL paths.
+ // str_replace('../','') is bypassable via '....//'; instead reject any URL
+ // whose decoded path contains '..' (covers '../', '....//'-bypass, and %2e%2e variants).
+ $decodedPath = urldecode((string)(parse_url($_REQUEST[$value], PHP_URL_PATH) ?? ''));
+ if (strpos($decodedPath, '..') !== false) {
+ unset($_REQUEST[$value]);
+ }
}
}
Source: GitHub Commit - Initial Fix
// Complete fix checking full URL including query string
// Source: https://github.com/WWBN/AVideo/commit/bd11c16ec894698e54e2cdae25026c61ad1ed441
foreach ($securityChecks as $key => $value) {
if (!empty($_REQUEST[$value])) {
- // Block directory traversal in URL paths.
- // str_replace('../','') is bypassable via '....//'; instead reject any URL
- // whose decoded path contains '..' (covers '../', '....//'-bypass, and %2e%2e variants).
- $decodedPath = urldecode((string)(parse_url($_REQUEST[$value], PHP_URL_PATH) ?? ''));
- if (strpos($decodedPath, '..') !== false) {
+ // Block directory traversal in URL paths AND query strings.
+ // The previous check only inspected parse_url(..., PHP_URL_PATH), so a payload
+ // like http://host/x?a=/videos/../../etc/passwd bypassed it entirely because
+ // the '..' appears only in the query string component, not the path.
+ // Decode the full URL string (handles %2e%2e and similar encodings) and reject
+ // any URL that contains '..' anywhere.
+ $decodedFull = urldecode((string)$_REQUEST[$value]);
+ if (strpos($decodedFull, '..') !== false) {
unset($_REQUEST[$value]);
}
}
Source: GitHub Commit - Complete Fix
// Defense-in-depth fix in objects/functionsFile.php
// Source: https://github.com/WWBN/AVideo/commit/bd11c16ec894698e54e2cdae25026c61ad1ed441
$encoder = 'Encoder/';
}
$tryFile = "{$global['systemRootPath']}{$encoder}videos/{$parts[1]}";
+ // Defense-in-depth: validate the resolved path stays within the videos directory.
+ // explode('/videos/', $url) operates on the full URL string including query string,
+ // so a traversal payload in the query string (e.g. ?a=/videos/../../etc/passwd)
+ // populates $parts[1] with '../../etc/passwd' and escapes the directory.
+ $videosBaseDir = realpath("{$global['systemRootPath']}{$encoder}videos");
+ $realTryFile = realpath($tryFile);
+ if ($videosBaseDir === false || $realTryFile === false
+ || strpos($realTryFile, $videosBaseDir . DIRECTORY_SEPARATOR) !== 0
+ ) {
+ _error_log("try_get_contents_from_local: blocked path traversal attempt for url={$url}");
+ return false;
+ }
//_error_log("try_get_contents_from_local {$url} => {$tryFile}");
if (file_exists($tryFile)) {
return file_get_contents($tryFile);
Source: GitHub Commit - Defense in Depth
Detection Methods for CVE-2026-41062
Indicators of Compromise
- HTTP requests to aVideoEncoderReceiveImage.json.php containing .. sequences in query string parameters
- Access logs showing URL patterns with /videos/../../ within query strings
- Unexpected file read attempts logged by the application error handler with message "blocked path traversal attempt"
- Requests containing URL-encoded traversal sequences like %2e%2e%2f in query parameters
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect .. sequences in all parts of URLs including query strings
- Monitor application logs for "try_get_contents_from_local: blocked path traversal attempt" error messages
- Deploy regex-based detection for URL patterns matching \?.*=/videos/\.\./ in web server access logs
- Configure SIEM alerts for anomalous file access patterns from the web application process
Monitoring Recommendations
- Enable verbose logging on the AVideo application to capture all file access attempts
- Monitor network traffic for HTTP requests targeting aVideoEncoderReceiveImage.json.php with suspicious query parameters
- Set up alerts for access to sensitive system files like /etc/passwd or configuration files from unexpected sources
- Review access logs regularly for patterns indicating directory traversal exploitation attempts
How to Mitigate CVE-2026-41062
Immediate Actions Required
- Update WWBN AVideo to a version containing commit bd11c16ec894698e54e2cdae25026c61ad1ed441 or later
- Review web server access logs for evidence of exploitation attempts
- Implement WAF rules to block requests containing directory traversal patterns in all URL components
- Restrict network access to the aVideoEncoderReceiveImage.json.php endpoint if not required
Patch Information
The vulnerability is addressed in commit bd11c16ec894698e54e2cdae25026c61ad1ed441. This fix implements two layers of protection: first, it validates the entire URL string (not just the path component) for directory traversal sequences, and second, it adds defense-in-depth validation in try_get_contents_from_local() using PHP's realpath() function to ensure resolved paths stay within the expected videos directory.
For detailed patch information, refer to the GitHub Security Advisory (GHSA-m63r-m9jh-3vc6) and the related advisory GHSA-f4f9-627c-jh33.
Workarounds
- Disable or restrict access to the aVideoEncoderReceiveImage.json.php endpoint until patching is possible
- Implement server-level path restriction using PHP's open_basedir directive to limit file access
- Deploy a reverse proxy or WAF rule that strips or blocks query parameters containing .. sequences
- Use network segmentation to limit which systems can access the vulnerable endpoint
# Example Apache mod_rewrite rule to block traversal attempts
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.%2e/) [NC]
RewriteRule ^.*aVideoEncoderReceiveImage\.json\.php$ - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
