<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33292 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33292/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 24 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33292/feed.xml" rel="self" type="application/rss+xml"/><item><title>AVideo HLS Path Traversal Vulnerability (CVE-2026-33292)</title><link>https://feed.craftedsignal.io/briefs/2024-01-avideo-path-traversal/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-avideo-path-traversal/</guid><description>AVideo versions before 26.0 are vulnerable to an unauthenticated path traversal attack via the HLS streaming endpoint, allowing unauthorized access to private or paid videos by manipulating the `videoDirectory` GET parameter due to inconsistent path handling.</description><content:encoded><![CDATA[<p>WWBN AVideo, an open-source video platform, is susceptible to a path traversal vulnerability in versions prior to 26.0. The vulnerability, identified as CVE-2026-33292, resides within the HLS streaming endpoint (<code>view/hls.php</code>). An unauthenticated attacker can exploit this flaw to bypass authorization checks and stream private or paid videos without proper credentials. The root cause lies in the inconsistent handling of the <code>videoDirectory</code> GET parameter, where authorization checks truncate the path while file access preserves traversal sequences (&quot;../&quot;), creating a split-oracle condition. Successful exploitation grants unauthorized access to restricted content, potentially leading to data leakage and financial losses for content creators and platform owners. The vulnerability was patched in version 26.0.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker crafts a malicious HTTP GET request targeting the <code>view/hls.php</code> endpoint.</li>
<li>The request includes the <code>videoDirectory</code> parameter with a path traversal sequence (e.g., <code>../../private_video</code>).</li>
<li>The authorization check truncates the <code>videoDirectory</code> parameter at the first <code>/</code>, effectively validating against a different, potentially public, video.</li>
<li>The file access mechanism uses the original, untruncated <code>videoDirectory</code> parameter, resolving the path with traversal sequences.</li>
<li>The server retrieves the content from the specified private video file based on the manipulated path.</li>
<li>The server streams the content of the unauthorized video back to the attacker.</li>
<li>The attacker gains unauthorized access to private or paid video content.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33292 allows unauthenticated attackers to bypass access controls and stream private or paid videos on vulnerable AVideo platforms. This can lead to unauthorized access to sensitive content, financial losses for content creators who rely on paid subscriptions, and reputational damage for the platform. The number of affected AVideo installations is currently unknown, but any instance running a version prior to 26.0 is potentially vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade AVideo installations to version 26.0 or later to patch CVE-2026-33292.</li>
<li>Deploy the Sigma rule <code>AVideo HLS Path Traversal Attempt</code> to detect exploitation attempts against the vulnerable endpoint.</li>
<li>Monitor web server logs for suspicious requests to <code>view/hls.php</code> containing path traversal sequences in the <code>videoDirectory</code> parameter to identify potential attacks.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>avideo</category><category>path-traversal</category><category>cve-2026-33292</category><category>webserver</category></item></channel></rss>