Cve-2026-41058 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-41058/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 22 Apr 2026 12:00:00 +0000WWBN AVideo Unauthenticated Path Traversal Vulnerability (CVE-2026-41058)https://feed.craftedsignal.io/briefs/2026-04-avideo-path-traversal/Wed, 22 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-avideo-path-traversal/WWBN AVideo versions 29.0 and below contain a path traversal vulnerability (CVE-2026-41058) in the CloneSite functionality, allowing unauthenticated attackers to delete arbitrary files via manipulation of the `deleteDump` parameter.WWBN AVideo is an open-source video platform. Versions 29.0 and below are vulnerable to a path traversal vulnerability (CVE-2026-41058) due to an incomplete fix for the deleteDump parameter in the CloneSite functionality. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server by injecting ../../ sequences into the GET request. The vulnerability was reported on April 21, 2026, and a fix is available in commit 3c729717c26f160014a5c86b0b6accdbd613e7b2. Successful exploitation allows attackers to potentially disrupt service, delete sensitive data, or escalate privileges depending on the file permissions.

Attack Chain

  1. The attacker identifies an AVideo instance running version 29.0 or below.
  2. The attacker crafts a malicious HTTP GET request targeting the CloneSite functionality.
  3. The attacker injects a path traversal sequence (e.g., ../../) into the deleteDump parameter of the GET request.
  4. The AVideo application fails to properly sanitize the deleteDump parameter.
  5. The unlink() function is called with the attacker-controlled path, allowing deletion of arbitrary files.
  6. The attacker uses the vulnerability to delete critical system files or configuration files.
  7. The application or server becomes unstable or inoperable.

Impact

Successful exploitation of CVE-2026-41058 allows unauthenticated attackers to delete arbitrary files on the AVideo server. This can lead to denial of service, data loss, or potential privilege escalation if critical system files are deleted. The vulnerability affects all AVideo instances running version 29.0 or below, potentially impacting a large number of users and organizations relying on the platform.

Recommendation

  • Upgrade AVideo instances to a version containing the fix from commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 to address CVE-2026-41058.
  • Deploy the Sigma rule Detect AVideo Path Traversal Attempt to identify exploitation attempts in web server logs.
  • Implement web application firewall (WAF) rules to block requests containing path traversal sequences in the deleteDump parameter.
  • Monitor web server logs for suspicious activity related to the CloneSite functionality and the deleteDump parameter.
]]>highadvisorypath traversalcve-2026-41058avideowebserver