Avideo — CraftedSignal Threat Feed

WWBN AVideo Unauthenticated Path Traversal Vulnerability (CVE-2026-41058)

hello@craftedsignal.io — Wed, 22 Apr 2026 12:00:00 +0000

WWBN AVideo is an open-source video platform. Versions 29.0 and below are vulnerable to a path traversal vulnerability (CVE-2026-41058) due to an incomplete fix for the deleteDump parameter in the CloneSite functionality. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server by injecting ../../ sequences into the GET request. The vulnerability was reported on April 21, 2026, and a fix is available in commit 3c729717c26f160014a5c86b0b6accdbd613e7b2. Successful exploitation allows attackers to potentially disrupt service, delete sensitive data, or escalate privileges depending on the file permissions.

Attack Chain

The attacker identifies an AVideo instance running version 29.0 or below.
The attacker crafts a malicious HTTP GET request targeting the CloneSite functionality.
The attacker injects a path traversal sequence (e.g., ../../) into the deleteDump parameter of the GET request.
The AVideo application fails to properly sanitize the deleteDump parameter.
The unlink() function is called with the attacker-controlled path, allowing deletion of arbitrary files.
The attacker uses the vulnerability to delete critical system files or configuration files.
The application or server becomes unstable or inoperable.

Impact

Successful exploitation of CVE-2026-41058 allows unauthenticated attackers to delete arbitrary files on the AVideo server. This can lead to denial of service, data loss, or potential privilege escalation if critical system files are deleted. The vulnerability affects all AVideo instances running version 29.0 or below, potentially impacting a large number of users and organizations relying on the platform.

Recommendation

Upgrade AVideo instances to a version containing the fix from commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 to address CVE-2026-41058.
Deploy the Sigma rule Detect AVideo Path Traversal Attempt to identify exploitation attempts in web server logs.
Implement web application firewall (WAF) rules to block requests containing path traversal sequences in the deleteDump parameter.
Monitor web server logs for suspicious activity related to the CloneSite functionality and the deleteDump parameter.

WWBN AVideo SSRF Vulnerability (CVE-2026-41055)

hello@craftedsignal.io — Wed, 22 Apr 2026 12:00:00 +0000

WWBN AVideo, an open-source video platform, is vulnerable to Server-Side Request Forgery (SSRF) in versions 29.0 and below. The vulnerability, identified as CVE-2026-41055, stems from an incomplete fix in the LiveLinks proxy. While the fix introduced isSSRFSafeURL() validation, it fails to address Time-of-Check Time-of-Use (TOCTOU) vulnerabilities related to DNS rebinding. This flaw allows attackers to bypass the intended SSRF protection by manipulating DNS responses between the validation check and the actual HTTP request, potentially redirecting traffic to internal, sensitive endpoints. The vulnerability can be remediated by applying the updated fix found in commit 8d8fc0cadb425835b4861036d589abcea4d78ee8. Exploitation could lead to information disclosure or unauthorized access to internal services.

Attack Chain

Attacker identifies an AVideo instance running a vulnerable version (<= 29.0).
Attacker crafts a malicious URL targeting the AVideo LiveLinks proxy feature.
The malicious URL is designed to leverage DNS rebinding techniques.
The AVideo server first validates the URL using isSSRFSafeURL(), which initially resolves to a safe, external IP address.
After validation, but before the HTTP request is made, the DNS record for the malicious URL is altered to point to an internal IP address.
The AVideo server, due to the TOCTOU vulnerability, now makes an HTTP request to the attacker-controlled internal IP address.
The attacker gains access to internal resources or services through the AVideo server.
Attacker exfiltrates sensitive data or pivots to other internal systems.

Impact

Successful exploitation of this SSRF vulnerability (CVE-2026-41055) in WWBN AVideo could allow attackers to access sensitive internal resources that are not intended to be exposed to the public internet. An attacker could potentially read internal configuration files, access databases, or even execute commands on internal systems, depending on the exposed services. The specific impact will vary depending on the organization’s internal network configuration and the services running behind the AVideo server.

Recommendation

Upgrade WWBN AVideo to a version containing the complete SSRF fix, referencing commit 8d8fc0cadb425835b4861036d589abcea4d78ee8.
Implement network segmentation to limit the impact of potential SSRF vulnerabilities by restricting access from the AVideo server to only necessary internal resources.
Deploy the Sigma rule Detect Suspicious AVideo SSRF Attempt to detect potential exploitation attempts via web server logs.
Monitor web server logs for unusual outbound connections from the AVideo server to internal IP addresses based on the network_connection log source.

WWBN AVideo Unauthenticated Remote Code Execution via test.php

hello@craftedsignal.io — Wed, 22 Apr 2026 00:16:28 +0000

WWBN AVideo, an open-source video platform, is vulnerable to an unauthenticated remote code execution (RCE) flaw. This vulnerability, identified as CVE-2026-41064, exists in versions up to and including 29.0. The root cause is an incomplete fix applied to the test.php file. While the fix implemented escapeshellarg for the wget command, it neglected to sanitize input for the file_get_contents and curl code paths. Additionally, the URL validation regex /^http/ is overly permissive, accepting malicious strings such as httpevil[.]com. Successful exploitation allows attackers to execute arbitrary commands on the server hosting the AVideo platform. The recommended remediation is to apply the updated fix detailed in commit 78bccae74634ead68aa6528d631c9ec4fd7aa536.

Attack Chain

An attacker sends a crafted HTTP request to the test.php endpoint.
The request includes a malicious URL, designed to exploit the insufficient input validation in the file_get_contents or curl code paths. For example, using httpevil[.]com to bypass the regex check /^http/.
The test.php script processes the request, attempting to retrieve content from the attacker-controlled URL using either file_get_contents or curl.
Due to the lack of proper sanitization, the malicious URL is interpreted as an OS command.
The server executes the attacker-supplied OS command.
The attacker gains arbitrary code execution on the AVideo server.
The attacker can then perform various malicious activities, such as installing malware, stealing sensitive data, or pivoting to other systems on the network.

Impact

Successful exploitation of this vulnerability (CVE-2026-41064) grants unauthenticated attackers the ability to execute arbitrary code on the affected AVideo server. This can lead to complete compromise of the server, including data theft, defacement, or use as a staging ground for further attacks. Given the platform’s use in video hosting, successful attacks could impact numerous users and content creators relying on the vulnerable AVideo instance. The vulnerable regex /^http/ and unsanitized functions leave the server open to mass exploitation if exposed to the public internet.

Recommendation

Apply the updated fix detailed in commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 to fully address the input validation issue in test.php.
Deploy the Sigma rule “Detect AVideo test.php Command Injection Attempt” to detect exploitation attempts in web server logs.
Monitor web server logs for requests to test.php containing suspicious URLs, especially those matching the httpevil[.]com pattern as documented in the IOCs.
Implement a more robust URL validation mechanism that properly sanitizes input before passing it to file_get_contents or curl.

WWBN AVideo SSRF Vulnerability via Incomplete CVE-2026-27732 Fix

hello@craftedsignal.io — Wed, 08 Apr 2026 00:08:47 +0000

WWBN AVideo, a video-sharing platform, is susceptible to Server-Side Request Forgery (SSRF) vulnerability due to an incomplete patch for CVE-2026-27732. The vulnerability exists in the objects/aVideoEncoder.json.php script. An authenticated uploader can provide a malicious downloadURL containing a common media extension like .mp4, .jpg, .gif, or .zip, bypassing SSRF validation. This allows the attacker to force the server to fetch internal resources. The server fetches the specified URL using url_get_contents(), stores the response as media content, and makes it accessible through the /videos/... endpoint. This vulnerability, identified as CVE-2026-39370, affects AVideo versions 26.0 and earlier. Exploitation enables exfiltration of sensitive data from internal APIs and services.

Attack Chain

An attacker logs in as a low-privilege authenticated user with upload privileges.
The attacker crafts a malicious downloadURL pointing to an internal resource (e.g., http://127.0.0.1:9998/probe.mp4).
The attacker sends a POST request to /objects/aVideoEncoder.json.php with the downloadURL and a valid format parameter (e.g., mp4).
AVideo’s downloadVideoFromDownloadURL() function extracts the extension and incorrectly skips isSSRFSafeURL() validation due to the allowlisted extension.
The server fetches the content from the attacker-controlled downloadURL using url_get_contents().
The fetched content is written into video storage.
The attacker retrieves the media metadata using GET /objects/videos.json.php?showAll=1 to obtain the videosURL.mp4.url.
The attacker downloads the media URL and recovers the content from the internal resource.

Impact

Successful exploitation allows an authenticated uploader to force the AVideo server to fetch internal resources and persist the response as media content. This Server-Side Request Forgery (SSRF) vulnerability allows internal response exfiltration from private APIs, admin endpoints, or other internal services reachable from the application host. The number of potential victims is related to the installations of AVideo with versions less than or equal to 26.0, and the sectors primarily affected are likely media and entertainment, as well as organizations utilizing AVideo for internal video hosting.

Recommendation

Apply isSSRFSafeURL() to all downloadURL inputs in objects/aVideoEncoder.json.php, regardless of file extension to remediate CVE-2026-39370.
Deploy the Sigma rule “Detect AVideo SSRF Attempt via DownloadURL” to identify potential exploitation attempts based on requests to /objects/aVideoEncoder.json.php.
Restrict upload-by-URL functionality to an explicit allowlist of trusted fetch origins.

WWBN AVideo Unauthenticated decryptString Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 12:00:00 +0000

WWBN AVideo is an open-source video platform. Versions up to and including 26.0 are vulnerable to an improper authentication issue within the API plugin. The decryptString action, intended for internal decryption processes, is exposed without any authentication requirements. Attackers can exploit this vulnerability to submit ciphertext, which is publicly accessible through endpoints like view/url2Embed.json.php, and receive the corresponding plaintext. Successful exploitation allows…

WWBN AVideo SQL Injection Vulnerability (CVE-2026-33723)

hello@craftedsignal.io — Mon, 23 Mar 2026 19:16:42 +0000

WWBN AVideo, an open-source video platform, is susceptible to a critical SQL injection vulnerability (CVE-2026-33723) affecting versions up to and including 26.0. The vulnerability resides within the Subscribe::save() method located in objects/subscribe.php. The application directly concatenates the $this->users_id property into an INSERT SQL query without proper sanitization or parameterized binding. This property originates from the $_POST['user_id'] parameter in both…

WWBN AVideo Privilege Escalation via Moderator Account

hello@craftedsignal.io — Mon, 23 Mar 2026 19:16:41 +0000

WWBN AVideo, an open-source video platform, is vulnerable to a privilege escalation flaw. Specifically, AVideo versions up to and including 26.0, a user with “Videos Moderator” permissions can perform unauthorized video management operations. The vulnerability stems from the inconsistent authorization checks within the platform’s code. While the “Videos Moderator” permission is intended to only permit changes to video publicity (Active, Inactive, Unlisted), the flaw allows for full video editing operations, including ownership transfer and video deletion. This vulnerability was patched in commit 838e16818c793779406ecbf34ebaeba9830e33f8. Successful exploitation of this flaw could lead to data loss and unauthorized content manipulation.

Attack Chain

An attacker gains access to a legitimate “Videos Moderator” account on the AVideo platform.
The attacker leverages the Permissions::canModerateVideos() function within videoAddNew.json.php to initiate video editing operations beyond the intended scope of the moderator role.
The attacker modifies the ownership of a target video, transferring it to an account controlled by the attacker.
The attacker, now the owner of the target video, bypasses the intended authorization controls within the videoDelete.json.php script.
The attacker invokes the videoDelete.json.php script to delete the video.
The platform deletes the video, due to the successful ownership transfer and the insufficient permission checks in the delete function.
The attacker repeats the process to delete any video on the platform.

Impact

Successful exploitation of this vulnerability allows an attacker with limited “Videos Moderator” privileges to escalate their access and perform unauthorized video management operations. This can lead to the deletion of arbitrary videos on the platform, resulting in data loss, service disruption, and potential reputational damage. The number of affected installations is unknown.

Recommendation

Apply the patch from commit 838e16818c793779406ecbf34ebaeba9830e33f8 to address the vulnerability in AVideo (CVE-2026-33650).
Monitor web server logs for requests to videoAddNew.json.php and videoDelete.json.php originating from “Videos Moderator” accounts, looking for anomalous activity (see Sigma rule below).
Implement stricter authorization controls for video management operations within the AVideo platform to prevent privilege escalation.

AVideo Unauthenticated Server-Side Request Forgery Vulnerability

hello@craftedsignal.io — Mon, 23 Mar 2026 17:16:51 +0000

AVideo, an open-source video platform, is affected by a critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-33502) in versions up to and including 26.0. The vulnerability exists within the plugin/Live/test.php file. An attacker can exploit this flaw to force the AVideo server to make HTTP requests to arbitrary URLs. Successful exploitation allows attackers to probe internal network services, potentially accessing sensitive internal HTTP resources, cloud metadata endpoints, and other protected assets. The patch for this vulnerability is included in commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3. This vulnerability poses a significant risk, as it does not require authentication and can lead to the exposure of sensitive information and potential compromise of internal infrastructure.

Attack Chain

The attacker identifies an AVideo instance running a vulnerable version (<= 26.0).
The attacker crafts a malicious HTTP request targeting the plugin/Live/test.php endpoint.
The crafted request includes a URL parameter pointing to an internal resource (e.g., http://localhost/admin).
The AVideo server, without proper validation, processes the request and sends an HTTP request to the attacker-specified URL.
The server receives the HTTP response from the internal resource.
The server may return the content of the internal resource to the attacker, depending on the AVideo application logic.
The attacker analyzes the returned content, potentially gaining access to sensitive information like configuration files, API keys, or internal service endpoints.
The attacker leverages the exposed information to further compromise the AVideo instance or the internal network.

Impact

Successful exploitation of this SSRF vulnerability (CVE-2026-33502) can lead to the exposure of sensitive internal resources, including configuration files, API keys, and cloud metadata. This can enable attackers to gain unauthorized access to internal systems, escalate privileges, and potentially compromise the entire infrastructure. The number of affected AVideo instances is currently unknown, but given its open-source nature, it is potentially widespread across various sectors. A successful attack can lead to data breaches, service disruption, and reputational damage.

Recommendation

Upgrade AVideo instances to a patched version containing commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 to remediate CVE-2026-33502.
Deploy the Sigma rule Detect AVideo SSRF Attempt via plugin Live Test to identify potential exploitation attempts targeting the vulnerable endpoint.
Implement network segmentation to restrict access to internal resources and mitigate the impact of successful SSRF exploitation.
Review webserver logs for suspicious requests to plugin/Live/test.php with unusual URL parameters (log source: webserver).

WWBN AVideo Unauthorized File Access and Deletion Vulnerability

hello@craftedsignal.io — Mon, 23 Mar 2026 16:16:49 +0000

WWBN AVideo, an open-source video platform, is vulnerable to unauthorized file access and deletion in versions up to and including 26.0. The vulnerability resides in the objects/import.json.php endpoint, which lacks proper directory restriction on the user-controlled fileURI POST parameter. This allows an authenticated user with upload permissions to bypass intended security measures and access or delete files outside of their authorized scope. The vulnerability was addressed in commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78. This vulnerability allows for the potential compromise of sensitive video content and adjacent data. Exploitation can lead to data theft and potential data loss. Defenders should prioritize patching and monitoring for suspicious activity targeting this endpoint.

Attack Chain

An attacker authenticates to the AVideo platform with a valid user account that possesses upload permissions.
The attacker crafts a malicious HTTP POST request targeting the objects/import.json.php endpoint.
The POST request includes the fileURI parameter, which is set to a path pointing to a target video file or adjacent text file outside the user’s designated directory.
The server-side code processes the request without performing adequate directory restriction checks on the fileURI parameter.
If the target is a video file, the server imports the video file into the attacker’s account, allowing the attacker to steal private video files.
If the target is a readable text file adjacent to a video, the attacker can access its contents via the import mechanism.
If the targeted file (either video or adjacent text file) is writable by the web server process, the attacker can trigger its deletion by including the appropriate parameters in the crafted request.
The attacker successfully exfiltrates the stolen video data or sensitive information from accessed files, or causes data loss due to file deletion.

Impact

Successful exploitation of this vulnerability can lead to several critical consequences. An attacker can steal private video files belonging to other users, resulting in a breach of confidentiality and potential reputational damage. The ability to read adjacent .txt/.html/.htm files can expose sensitive information, such as configuration files or credentials. Furthermore, the capability to delete .mp4 files and adjacent text files can cause data loss and disruption of service. The number of affected users depends on the specific deployment and the number of users with private video content.

Recommendation

Apply the patch from commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 to remediate CVE-2026-33493.
Deploy the Sigma rule to your web server logs to detect attempts to access arbitrary files using the fileURI parameter in requests to objects/import.json.php.
Monitor web server logs for unusual file access patterns, particularly requests to objects/import.json.php with fileURI parameters containing directory traversal sequences like “../”.