CVE-2026-33354

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description The POST /objects/aVideoEncoder.json.php endpoint in AVideo allows a requester-controlled chunkFile parameter to specify arbitrary local filesystem paths. The isValidURLOrPath() helper function does not sufficiently restrict these paths, allowing access to files within broad server directories, including /var/www/, the application root, cache, tmp, and videos, excluding only .php files. An authenticated uploader can leverage this to read arbitrary local files, which are then copied into their public video storage and accessible via HTTP. The issue was observed by successfully retrieving a TLS private key from /var/www/html/AVideo/.compose/letsencrypt/live/localhost/privkey.pem.

Recommendations Versions prior to 26.0 should be updated. As a temporary workaround, restrict access to the aVideoEncoder.json.php endpoint or the chunkFile parameter until a patch is available.