Wwbn · Avideo · CVE-2026-46337
**Name of the Vulnerable Software and Affected Versions**
AVideo versions 29.0 and earlier
**Description**
An unauthenticated remote attacker can read arbitrary image files from the disk that the PHP user has permission to open. This includes private user-profile photos protected by Access Control Lists (ACLs), admin-uploaded thumbnails, encrypted-video poster frames, and image content in sibling-app directories. The issue is caused by a path traversal flaw where the application fails to filter `..` segments or validate the destination path, allowing access to files outside the intended directory. The vulnerability is located in the endpoint "/view/img/image404Raw.php" via the `image` parameter, which is passed directly to the `readfile()` function. The application uses `getimagesize()` to verify if a file is an image, but this only checks magic bytes (file headers) and does not restrict the file path. Additionally, the use of `$ SERVER["REQUEST URI"]` as a fallback when the `image` parameter is empty further increases the attack surface.
**Recommendations**
For versions 29.0 and earlier, implement the following security measures in the "/view/img/image404Raw.php" endpoint:
1. Reject any requests containing path-traversal segments such as `..`, null bytes (`0`), or protocol schemes (`://`).
2. Use `realpath()` to resolve the absolute path and verify that the resulting path is contained within the intended `/videos/` or `/view/img/` directories.
3. Remove the `$ SERVER["REQUEST URI"]` fallback and return a 400 Bad Request error if the `image` parameter is not provided.
4. As a temporary mitigation, restrict access to the "/view/img/image404Raw.php" endpoint or disable it until these changes are applied.