CVE-2026-33493

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description The objects/import.json.php endpoint in AVideo lacks proper path restriction validation, specifically when handling the fileURI POST parameter. While a regex check confirms the value ends in .mp4, it does not restrict the path to the expected videos/ directory. This allows an authenticated user with upload permissions to steal private video files belonging to other users, read adjacent .txt, .html, or .htm files, and delete .mp4 and adjacent text files if the web server process has write access. The issue stems from the absence of a realpath() and directory prefix check, a security measure present in objects/listFiles.json.php. The endpoint attempts to read adjacent .txt, .html, or .htm files using file get contents(), and copies the .mp4 file to a temporary directory for import. When the delete parameter is set, the source .mp4 and adjacent text files are deleted if writable.

Recommendations Apply the realpath() and directory prefix check from objects/listFiles.json.php to import.json.php immediately after the .mp4 regex check.