{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41058/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41058"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path traversal","cve-2026-41058","avideo","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo is an open-source video platform. Versions 29.0 and below are vulnerable to a path traversal vulnerability (CVE-2026-41058) due to an incomplete fix for the \u003ccode\u003edeleteDump\u003c/code\u003e parameter in the CloneSite functionality. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server by injecting \u003ccode\u003e../../\u003c/code\u003e sequences into the GET request. The vulnerability was reported on April 21, 2026, and a fix is available in commit 3c729717c26f160014a5c86b0b6accdbd613e7b2. Successful exploitation allows attackers to potentially disrupt service, delete sensitive data, or escalate privileges depending on the file permissions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an AVideo instance running version 29.0 or below.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the CloneSite functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a path traversal sequence (e.g., \u003ccode\u003e../../\u003c/code\u003e) into the \u003ccode\u003edeleteDump\u003c/code\u003e parameter of the GET request.\u003c/li\u003e\n\u003cli\u003eThe AVideo application fails to properly sanitize the \u003ccode\u003edeleteDump\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function is called with the attacker-controlled path, allowing deletion of arbitrary files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the vulnerability to delete critical system files or configuration files.\u003c/li\u003e\n\u003cli\u003eThe application or server becomes unstable or inoperable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41058 allows unauthenticated attackers to delete arbitrary files on the AVideo server. This can lead to denial of service, data loss, or potential privilege escalation if critical system files are deleted. The vulnerability affects all AVideo instances running version 29.0 or below, potentially impacting a large number of users and organizations relying on the platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AVideo instances to a version containing the fix from commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 to address CVE-2026-41058.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AVideo Path Traversal Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests containing path traversal sequences in the \u003ccode\u003edeleteDump\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the CloneSite functionality and the \u003ccode\u003edeleteDump\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-avideo-path-traversal/","summary":"WWBN AVideo versions 29.0 and below contain a path traversal vulnerability (CVE-2026-41058) in the CloneSite functionality, allowing unauthenticated attackers to delete arbitrary files via manipulation of the `deleteDump` parameter.","title":"WWBN AVideo Unauthenticated Path Traversal Vulnerability (CVE-2026-41058)","url":"https://feed.craftedsignal.io/briefs/2026-04-avideo-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-41058","version":"https://jsonfeed.org/version/1.1"}