CVE-2026-33238

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.0

Description AVideo, an open source video platform, has a path traversal issue in the listFiles.json.php endpoint. The endpoint accepts a path POST parameter and passes it directly to the glob() function without restricting the path to an allowed base directory. This allows an authenticated uploader to traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating .mp4 filenames and their full absolute filesystem paths. The vulnerability allows access to files outside the web root, including private or premium media directories. The vulnerable code is located at objects/listFiles.json.php:8-45. The $ POST['path'] variable is used directly in glob() without normalization or a prefix check. The response includes obj->path containing the full absolute filesystem path of each matched file. The extension filter limits results to .mp4 files, but does not prevent enumeration of video files in access-controlled locations. The canUpload permission is required to exploit this issue.

Recommendations Versions prior to 26.0 should be updated to version 26.0 or later. Restrict the supplied path to an allowed base directory using realpath().