CVE-2026-33293

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.0

Description AVideo, an open source video platform, has a path traversal issue in the plugin/CloneSite/cloneServer.json.php file. The deleteDump parameter is passed directly to the unlink() function without proper path sanitization. An attacker with valid clone credentials can exploit this by using path traversal sequences (like ../../) within the deleteDump parameter to delete arbitrary files on the server. This includes critical application files such as configuration.php, potentially leading to complete denial of service or enabling further attacks by removing security-critical files. The vulnerable code is located at lines 10-11 and 44-46 of the plugin/CloneSite/cloneServer.json.php file, where the $clonesDir variable is set and used in conjunction with the unsanitized $ GET['deleteDump'] parameter. The deleteDump parameter is intended for deleting SQL dump files generated during the clone process, but the lack of validation allows attackers to bypass this intended functionality. The authentication guard thisURLCanCloneMe() requires valid clone credentials, which are held by approved clone partners.

Recommendations Versions prior to 26.0 should be updated to version 26.0 or later. Apply basename() to the deleteDump parameter to strip any directory traversal components, ensuring the deletion is restricted to files within $clonesDir. Additionally, implement a realpath() check to verify that the resolved path remains within the intended directory.