CVE-2026-33681

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform. The objects/pluginRunDatabaseScript.json.php API endpoint accepts a name parameter via POST and passes it to the Plugin::getDatabaseFileName() function without proper path traversal sanitization. This allows an authenticated administrator, or an attacker via Cross-Site Request Forgery (CSRF), to traverse outside the plugin directory and execute the contents of any install/install.sql file on the filesystem as raw SQL queries against the application database.

Recommendations Update to a version beyond 26.0.