CVE-2026-45731: Wwbn Avideo Path Traversal Vulnerability

CVE-2026-45731 Overview

CVE-2026-45731 is a path traversal vulnerability [CWE-22] in WWBN AVideo, an open source video platform. The flaw exists in view/update.php, which reads the $_POST['updateFile'] parameter as a relative path under the updatedb/ directory. The application passes this user-controlled value to PHP's file() function for line-by-line processing during database migration. An authenticated administrator can supply traversal sequences to read arbitrary text files accessible to the web-server process. The vulnerability affects AVideo version 29.0 and earlier.

Critical Impact
Authenticated administrators can read arbitrary text files on the host filesystem reachable by the PHP process, enabling disclosure of configuration files, credentials, and other sensitive data.

Affected Products

WWBN AVideo 29.0
WWBN AVideo versions prior to 29.0
Deployments exposing view/update.php to authenticated administrative users

Discovery Timeline

2026-05-29 - CVE-2026-45731 published to NVD
2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-45731

Vulnerability Analysis

The vulnerability resides in the database migration handler at view/update.php. The script accepts an updateFile parameter via HTTP POST and treats it as a relative path beneath the updatedb/ directory. The application then invokes PHP's file() function on the resolved path, which reads the file into an array of lines for sequential processing.

Because the application does not normalize or constrain the supplied path, an attacker can submit traversal sequences such as ../../../../etc/passwd to escape the intended directory. The contents of any text-readable file accessible to the web-server user become available to the migration routine. This category of weakness is tracked as Improper Limitation of a Pathname to a Restricted Directory [CWE-22].

Exploitation requires authenticated administrator privileges, which limits the attack surface but does not eliminate risk. Compromised administrator credentials, insider threats, and chained authentication bypass flaws can each enable abuse. The EPSS score is 0.079%.

Root Cause

The root cause is the absence of path canonicalization and allowlist validation on the updateFile POST parameter before it reaches file(). The migration logic assumes the input remains scoped to updatedb/, but PHP file functions resolve .. segments against the filesystem without restriction.

Attack Vector

An authenticated administrator submits a crafted POST request to view/update.php with updateFile set to a relative path containing directory traversal sequences. The PHP process opens the targeted file through file(), and its line-by-line contents are exposed through the migration workflow. Network access to the administrative interface is the only prerequisite beyond authentication.

No verified public exploit code is available. Technical specifics are documented in the WWBN AVideo GitHub Security Advisory GHSA-3mjv-375j-6h92.

Detection Methods for CVE-2026-45731

Indicators of Compromise

POST requests to view/update.php containing updateFile values with ../ traversal sequences or absolute paths
Web-server access to sensitive files such as /etc/passwd, videos/configuration.php, or .env correlated with PHP worker activity tied to AVideo
Unexpected administrator session activity targeting database migration endpoints outside of upgrade windows

Detection Strategies

Inspect web server and PHP access logs for updateFile parameter values containing .., URL-encoded traversal (%2e%2e%2f), or paths outside updatedb/
Deploy WAF rules that block path traversal patterns in POST bodies submitted to AVideo administrative endpoints
Alert on file reads by the web-server user against sensitive configuration or credential files

Monitoring Recommendations

Correlate authenticated admin session identifiers with requests to view/update.php to detect anomalous use
Monitor for changes to AVideo administrator account credentials and unexpected logins from new IP addresses
Track filesystem audit events for the PHP-FPM or Apache user accessing files outside the AVideo web root

How to Mitigate CVE-2026-45731

Immediate Actions Required

Upgrade WWBN AVideo to a version later than 29.0 once a fixed release is available per the vendor advisory
Restrict access to view/update.php to trusted administrative IP ranges using web-server access controls
Rotate AVideo administrator credentials and audit administrator account inventory for unauthorized additions

Patch Information

Refer to the WWBN AVideo GitHub Security Advisory GHSA-3mjv-375j-6h92 for vendor-supplied patch details and upgrade guidance. Apply the fixed release as soon as it is published by the maintainer.

Workarounds

Block external access to view/update.php at the reverse proxy or web server when upgrades are not actively in progress
Enforce multi-factor authentication on AVideo administrator accounts to reduce credential compromise risk
Run the PHP process under a low-privilege user with filesystem access limited to the AVideo application directory

bash

# Example nginx configuration to restrict access to the vulnerable endpoint
location = /view/update.php {
    allow 10.0.0.0/24;   # trusted admin subnet
    deny all;
    include fastcgi_params;
    fastcgi_pass unix:/run/php/php-fpm.sock;
}