CVE-2026-33292

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.0

Description AVideo, an open source video platform, has an authorization bypass due to a path traversal issue in the HLS streaming endpoint (view/hls.php). The videoDirectory GET parameter is processed differently in authorization checks and file access, creating a split-oracle condition. Authorization checks truncate the parameter at the first / segment, while file access preserves traversal sequences like ... This allows an unauthenticated attacker to stream any private or paid video on the platform by manipulating the videoDirectory parameter. The vulnerability exists because there are no mitigations in the path, including missing realpath() calls or filtering of .. sequences. The issue affects all AVideo instances with at least one public video, which is the default configuration.

Recommendations Versions prior to 26.0: Sanitize the videoDirectory parameter to reject path traversal sequences before any processing occurs. Add the following code at the top of view/hls.php:

if (empty($ GET['videoDirectory'])) {
  forbiddenPage("No directory set");
}

$ GET['videoDirectory'] = str replace('', '/', $ GET['videoDirectory']);
if (preg match('/../', $ GET['videoDirectory'])) {
  forbiddenPage("Invalid directory");
}
$ GET['videoDirectory'] = trim($ GET['videoDirectory'], '/');
$ GET['videoDirectory'] = preg replace('#/+#', '/', $ GET['videoDirectory']);

Additionally, add a realpath() check in getPathToFile as defense-in-depth (objects/video.php:4636):

$newPath = str replace('//', '/', $newPath);
$realPath = realpath($newPath);
$realVideosDir = realpath($videosDir);
if ($realPath === false || strpos($realPath, $realVideosDir) !== 0) {
  return false;
}
return $newPath;