Gr00Ve3

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** The `POST /objects/aVideoEncoder.json.php` endpoint in AVideo allows a requester-controlled `chunkFile` parameter to specify arbitrary local filesystem paths. The `isValidURLOrPath()` helper function does not sufficiently restrict these paths, allowing access to files within broad server directories, including `/var/www/`, the application root, cache, tmp, and `videos`, excluding only `.php` files. An authenticated uploader can leverage this to read arbitrary local files, which are then copied into their public video storage and accessible via HTTP. The issue was observed by successfully retrieving a TLS private key from `/var/www/html/AVideo/.compose/letsencrypt/live/localhost/privkey.pem`. **Recommendations** Versions prior to 26.0 should be updated. As a temporary workaround, restrict access to the `aVideoEncoder.json.php` endpoint or the `chunkFile` parameter until a patch is available.