CVE-2026-39369

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 26.0 and prior

Description WWBN AVideo, an open source video platform, has an issue in the aVideoEncoderReceiveImage.json.php file. An authenticated uploader can fetch attacker-controlled URLs, bypassing traversal scrubbing and exposing server-local files through the GIF poster storage path. This allows reading local files, such as /etc/passwd or application source files, and republishing their content through a public GIF media URL.

Recommendations Update to a version of WWBN AVideo later than 26.0.